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At the System Safety Conference three 
years ago to which Mr. Bolger alluded, we 
explained what system safety could do, we re- 
viewed its early applications, and hinted at its 
potential. Then when Bob Helgeson summa- 
rized the conference, he said that system 
safety has come of age and it is time to 
consolidate the gains. We meet today to hear 
about the gains and view the broader in- 
dustrial scope of system safety. I feel that one 
of the important gains is that its reception 
among engineers and executives is far better 
now than it was two years ago. To do this the 
engineers, executives and program managers 
had to surrender some of their instinctive 
feeling that they know all there is to know 
about safety; that therefore there is no need 
for a separate discipline on design or opera- 
tional safety, no need for a well-prepared 
plan of checks and balances to combat the 
elements that are antagonistic to the identi- 
fication and control of undesired events. Some 
of these antagonistic elements are meeting 
schedules, cost constraints, production prob- 
lems, pcx-formance, and the "not invented here 
factor.” Dr. George Mueller, who at that time 
was head of the Office of Manned Space Flight, 
stimulated system safety by defining system 
safety as ''organized common sense.” The 
Office of Manned Space Flight Safety in 1967 
recognized system safety as a separate dis- 
cipline and prepared the Apollo Program 
System Safety Directive. System Safety has 
since become part of the NASA Safety Manual 
and the concept is spreading throughout NASA. 
System Safety means the identification and 
control of foreseeable hazards as well as the 
documented rationale of residual risks that 
have to be accepted, The historical role of 
safety was to take corrective action after the 
undesired event had occurred. Of course the 
lesson learned from the undesired events are 
required inputs to system safety. But we now 
try to act beforehand to prevent rather than 
react to a loss. The old-fashioned waiting for 
an accident and then taking corrective action 
is commonly referred to as "tombstone” 
safety. The problem of trying to foresee the 


hazards to prevent them is a grand strategy 
directed towards curtailing losses throughout 
the life of the hardware. This is in contrast 
to the old way of doing things, which was the 
tactical approach of waiting to search and 
destroy the immediate enemy (accident when 
it occurred.) We now try to foresee these 
undesired events through system safety. We 
of course favor the strategical approach In 
place of the tactical approach though both of 
course are necessary. 

The constraints of schedule, cost, per- 
formance and production which I mentioned 
before and even public pressures must be in- 
cluded in the grand strategy. Hazards are not 
limited to hardware. They include software, 
procedures, awareness. All assumptions on 
which decisions are based should be recorded 
for periodic review. System safety comes at 
an opportune time. Risks of great magnitude 
are increasing. This may mean a single risk 
such as an Apollo or the Alaska pipeline or it 
may mean millions of people exposed to Indi- 
vidual risks as on the highways or the railways. 

As management of industry or government 
projects becomes more beset by the political, 
economic or loss of prestige implications of 
mission failures, they will be impelled to turn 
with increasing attention to the systematic 
approach to loss prevention known as System 
Safety. 

In his welcome remarks at out first con- 
ference, Dr. John Clark, our host, had some 
words of wisdom. I'd like to quote them. He 
said, "In order to sell the project manager on 
the necessity for integrating safety into the 
total program, he must be sold on the idea that 
project safety is synonomous with project 
success.” A specialist in the field of safety is 
needed to look after safety, to help line man- 
agement, to handle the whole safety job, not 
do it with their left hand, so to speak. Both 
groups must work together. Safety should be 
instituted in the conceptual design, before 
hardware design is started. One has to build 
in safety at this point if there is to be a good 
chance of achieving it further downstream. 
Then when the prototype hardware is ready to 
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go into test, make sure die testing is adequate. 
This can be a hazardous procedure. It is a 
time when one must be very careful to integrate 
the safety plans with a review of the adequacy 
of the total system. 

There are very powerful forces that are 
pushing for the acceptance of system safety. 
The most prominent force is the adoption of 
system safety by Government agencies, the 
Department of Defense, NASA, Department of 
Transportation, Federal Aviation Agency. The 
consumer movements spearheaded by Govern- 
ment agencies such as the National Commis- 
sion on Product Safety, the Special Assistant 
to the President for C- isumer Affairs, the 
Highway Safety Act, the National Transporta- 
tion Safety Board, as well as non-Govemment 
consumer protective groups, all are acting in 
such a way that guarantees the future of system 
safety or its concept by whatever name it is 
called. I prefer Risk Management. 

In the home product field last year there 
weie 30,000 people killed, 20,000,000 injured, 
a total loss of $5.5 billion. This shows where 
system safety has scope in fields other than 
space and aviation. The new Occupational 
Health and Safety Act will create a safety 
climate that will reach down to the smallest 
business enterprise, when the Department of 
Labor begins to enforce its standards. Self- 
defense will compel industry to adopt the sys- 
tem safety approach for the industrial type of 


accident prevention, including fire. Another 
very powerful influence for promoting system 
safety is the insurance industry, especially 
that part of the insurance industry that writes 
product liability insurance. The costs of law 
suits and settlements are becoming ever 
larger. The best defense for industry is proof 
to the jury that it has made a well organized 
and documented attempt to foresee and deal 
with identifiable hazards. The Kemper In- 
surance Co. of Chicago has put out a book 
called "Product Liability" which tells its 
insured how to protect themselves in the case 
of a law suit. This little booklet is just another 
definition of system safety. Incidentally, it 
includes "motivation" which sometimes is 
forgotten in the system safety pro- 
gram. 

With these forces pushing system safety 
ahead, I foresee a fine future for it. The 
marriage of management with risk analysis, 
safety engineering, test procedures, will save 
much suffering and untold billions of dollars 
by putting hindsight where our foresight should 
be. It may be difficult if not impossible to 
prove such gains have been made, but we 
should all watch for them so that when we have 
this conference in 1974 you will be able to 
report on them. 

I quoted some words of wisdom from 
Dr. John Clark, our host, l would now like to 
introduce him. 
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Thank you Mr. Bolger, Congressman 
Pettis, and Ladies and Gentlemen. Good Morn- 
ing and welcome to the Goddard Space Flight 
Center. 

We are pleased to again host the Govern- 
ment-Industry System Safety Conference here 
at Goddard. We hope your meeting will be 
successful and your stay ’n the Washington 
area will be pleasant. 

I noted from the Program that you will have 
many interesting topics and able speakers 
during the next few days, and 1 hope to be able 
to drop in from time to time to hear some oi 
the sessions. I understand that Goddard is 
represented by approximately 50 members of 
our staff and so I am sure your discussions 
will impact the Center's thinking. 

At the last conference I made three points 
which I felt were basic to the promotion of 
safety programs. The first is the necessity 
to persuade the project manager that project 
safety is synonymous with project success. 
Second, that a team approach between the line 
manager and the safety specialist is necessary 
to detect the unanticipated hazards, the ones 
that hurt us most. Third, that a formal system 
is required to bring the safety specialist and 
the line manager together during atleastthree 
phases of a project; the review of the con- 
ceptual design, review prior to the testing of 
prototype hardware and during the Flight 
Readiness Review. 

It seems to me that these elements i re just 
as applicable today as they were three years 
ago. Today, however, with the theme of this 
conference being "Applications and Ex- 
perience" gained since the last conference, it 
might be prudent for me to explore this idea 
further and discuss the application of these 
ideas. Clearly, System Safety has a place In 
Manned Flight, but for unmanned missions 
some feel mission success is more directly 
dependent upon reliability and quality control 
functions. This seems to me to demonstrate 
a lack of understanding of what system safety 
is. There is an excellent short article in the 
September 1970 issue of Machine Design 
entitled Spotting Trouble Before It Happens 
which puts this comparison into language that 
a project manager might readily understand. 
The article compares fault tree analysis, 
frequently used as a systems safety tool, with 
failure mode analysis long used as a relia- 


bility function tool. An analysis which begins 
with the definition of an undesired event and 
works down from the highest level subassem- 
blies may well point up risks which a method 
that begins at component level may not. 

Development of the team approach between 
the safety specialist and the line manager 
requires mutual respect and confidence be- 
tween the two. In practical application, it 
must be understood by the line manager that 
safety is his responsibility. It cannot be sep- 
arated from his manajemmt functions any 
more that coordination or decision-making 
can. The safety specialist's effort, therefore, 
must be in addition to this line management 
responsibility, not substituted for it. 

My third point stressed the importance of 
including in the review cycle at various stages 
assurance that collaboration between the safety 
specialist and the line manager takes place. 
I think this straight-forward concept requires 
little explanation. It is important, however, to 
extend the review beyond just hardware sys- 
tems. The operations performed by people 
must also be considered. At Goddard prior to 
each Apollo mission we have our medical staff 
review the records of our key personnel to 
assure that they have inoculations for virus 
and other prevalent illnesses as well as a 
recent physical. In addition, we try to provide 
contingency plans to covet the emergency 
absence of a key figure. We try to expend 
adequate thought and analysis to determine 
back up requirements to eliminate the neces- 
sity for individuals to work extended shifts 
which might tax their efficiency. These are 
examples of the type of personnel systems 
review that needs to be addressed in addition 
to hardware review. Responsible managers 
must provide positive assurance that their 
personnel systems are as error-free as is 
their hardware. 

In keeping with the theme of this year's 
conference, I have tried to elaborate on my 
opening remarks of three years ago, expand 
them and speak of their application. We hope 
that conferences such as this will help lead 
the way toward not only application of known 
principles but in exploring the frontiers of 
the state of the art of risk management. 

Thank you for honoring the Center by your 
presence. We hope you will have a successful 
and enjoyable meeting. 
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Thank you, Mr. Chairman. Mr. Lederer, 
distinguished speakers, ladles and gentlemen. 

It would be presumptuous of me to try to 
tell this audience anything about System Safety. 
You are the experts on that subject. I'm sure 
you’ll be even more expert after you’ve beer 
exposed to the excellent program that NASA 
has assembled here for you. 

However, I am vitally interested in all as- 
pects of System Safety. My years as a com- 
mercial pilot Instilled in me a profound re- 
spect for any policy, procedure, or system that 
would contribute to the improved sa'^ty of my 
passengers, my airplane, or myself. 

More recently, my years of service on the 
House Science and Astronautics Committee 
have enabled me to appreciate — at first 
hand — the unprecedented hazards, both on the 
ground and in space, that have been generated 
hi the Space Age as we have responded to man’s 
eternal challenge to explore his environment — 
and to satisfy his always urgent need to know. 
I have seen the magnificent response by crea- 
tive and dedicated program managers and 
safety engineers — like many of you here — 
who have worked together with your partners 
and associates in Industry to make space travel 
the safest mode of transportation developed for 
Earth men — so far. 

You know, I think it’s safer to be on an 
Apollo flight crew than it is to be in Congress 
these days — what with bombing the Capitol 
building — the May Day demonstrations — and 
the recent threats to stop the normal functions 
of our national government. If we can’t make 
our governmental systems safe, how can we 
ensure the safety of our citizens? How about 
some of you working on System Safety Capitol 
Hill? I don’t believe it would be any tougher 
than making the Apollo Saturn safe. 

At any rate, since I’m not a Safety Engineer, 
I thought I’d talk about the application of System 
Safety Principles toward the solution of plane- 
tary problems. American space travel via 
Mercury, Gemini and Apollo — has proven 
that we have learned to control the hazards 
we’ve encountered. Space travel via Planet 
Earth — throughout recorded history — has 
proven much more difficult. We might almost 
say that the hazards seem to have controlled 
us. Surely, we can learn to do something about 
that. If we could put alx Americans on the moon, 
we can do anything — if we care enough to try. 


The System Safety concept — the principles 
and the professional know-how — may be much 
more important than we’ve realized. 

I am aware that the theme of my address 
may seem to be a little bit pretentious — "Sys- 
tem Safety — Planet Earth". Are we ready 
for it? How much longer can we do without 
it? 

What I’d like to do today is to expose — and 
try to clarify — a concept. The concept is rele- 
vant to this conference because the principles 
of safety — especially when applied with the 
expert ice of systems management — are of 
universa’ value. 

This gathering is symbolic of a much 
larger society. You represent many aspects of 
our national life. We have in America a 
complex system of government, purposely 
representative of all eleme...s of our modern 
civilization. Among you here today are safety- 
oriented leaders from diverse industries, col- 
leges and universities, and a wide spectrum 
of government agencies. Over seventy different 
types of groups can be Identified, More spe- 
cifically, you are professionally interested in 
al) armed services, all modes of transporta- 
tion and the national space program. The AEC, 
HEW, FAA, Interior, the Post Office Depart- 
ment, the TVA, the Library of Congress, the 
GSA, the National Bureau of Standards, the 
National Transportation Safety Board — as 
well as the District of Columbia and other 
Community and State governments — are all 
here. 

it’s safe to say that most of you are pro- 
fessional safety engineers, or managers with 
safety responsibilities. Your common interest 
provides a common bond. It has brought you 
together with NASA as the catalyst. Mutual 
interests and responsibilities motivated you 
to join us h e today. Why? 

Why are we so interested in safety? Be- 
cause it’s our job? Or do we believe in — are 
we dedicated to — the principles behind the 
safety concept — the preservation of human 
life, the conservation of materials, and the 
assurance of mission success? 

Were you taught that Self Preservation was 
the first law of Human Nature? I was. The 
traditional right of self defense — for an 
individual or a nation — derives from that 
fundamental Law of Self Preservation. There 
is an even more basic law in Nature — related 
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to the instinct to survive — to grow to matur- 
ity — and to reproduce in kind. Survival, de- 
fense and preservation of self — are directly 
related to the safety concept. 

The concept of freedom seems to be a 
natural extension — or a more evolved de- 
velopment — of that Law which recognizes 
that a man must live in freedom truly to pre- 
serve himself. We've cried to develop a way of 
Life in America that provides the best possible 
environment — and the safest — in which to 
live and grow. National Safety is also National 
Security. 

We recognize "inalienable rights" that pro- 
tect individual freedoms to live and grow — as 
long as those rights are not distorted into 
license — to deny another’s freedom or his 
rights. This freedom or these rights are never 
relevant, unless we value the individual units 
of society as being human beings. Rights and 
freedoms become meaningful only if we value 
the human being and his native rights — to live, 
to grow, or to become responsible for his own 
choices. 

Our founding fathers were concerned with 
safety. They believed in the value of a human 
life. They even believed that the principle of 
freedom was inherent in a Law of Nature con- 
ceived by Nature's Creator. Whether we share 
that belief, it is undoubtedly the reason that 
Americans, traditionally, have set high values 
upon human life, their own or someone else's. 

For nearly 200 years we have believed in 
this principle so much that we have often 
risked — and even sacrificed — our own lives, 
that others, weaker or more threatened than 
we, could also share the "blessings of Liberty", 

What does this have to do with System 
Safety? Well, we sometimes refer to our 
"system of government", or even "the free- 
enterprise system". But more "right on", 
perhaps, the value of the life is essential to the 
safety concept. If life has no value, why protect 
it? 

But we don't always obey law — even a 
Natural Lav/. We are just beginning to recog- 
nize, on a planetary scale — thanks to our 
Space Age perspective — some of the awesome 
problems that we face when we disregard or 
disobey the laws of nature. "Self preservation" 
now pertains to all humanity. Planetary Sec ar- 
ity is directly related to the essential natural 
resources of our planet. 


Self Preservation is inseparable from 
global ecology. The planetary system environ- 
ment and our own viability as a part of that 
system are totally inter- related. They always 
have been. But we are now becoming very 
aware of this vital relationship. Conservation 
has now become an urgent mission, not just 
a part-time past-time. 

Politically, the current problem seems to 
be, how to work for conservation without ap- 
pearing too conservative. 

I understand that three years ago you held 
the first of these System Safety Conferences. 
It must have been extremely successful. Look 
to what has been accomplished in those few 
years. 

We've landed three Apollos on the moon. 
Six men from Earth have leaped around in 
moon dust — and even "mulligf -i" — and 
have returned to share unique exper ences with 
Earth-bound men. Leaders like Jerry Lederer, 
Phil Bolger and their safety teammates must 
get due share of the credit — as should all of 
you who helped them. A very special mention 
should go to a canine astro-pup called Snoopy — 
perhaps the most successful safety engineer of 
all. Magnificent "mission success", shared 
with all humanity — in the face of unprece- 
dented risk to life — with fantastic operational 
hazards to be overcome. 

The tremendous learning experience of 
Apollo 13 may have been the most Impressive 
c.f all — in retrospect. The whole world was 
able to appreciate what value we placed upon 
the lives of astronauts. Perhaps we came much 
closer to the realization of System Safety 
Planet Earth as a result. 

Of course, human life, primary though it is, 
is not the only safety consideration. There is 
the economy of resources — of time, energy, 
money, and materials — of equipment and 
facilities — that is always at stake and riding 
with the mission — not to mention the mainte- 
nance of public support for our manned space 
program itself. In this total light, the Safety of 
the System becomes paramount. 

How can the uninitiated ever appreciate the 
value of the system safety concept? It really 
isn't easy. That may be why travel through 
space on Planet Earth has been so hazardous. 
It takes experience and Intelligence. Wisdom 
is better — though much more rare. It takes 
discipline and training and knowledge combined 
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with skill. But even more, it takes alertness — 
or ’’awareness” — and a very special kind of 
caring that produces individual responsibility. 
It all adds up to what can be called — ’ ’Human 
Reliability” — the most essential ingredient 
in any mission. 

Instinct helps but we can't fly to the moon 
by the "seat of our pants”. That seems to be 
the way we've been ’’piloting our planet”. 

But it wasn’t instinct that permitted man to 
fly. Our physical bodies weren't optimized for 
flight. We had to learn to counteract the effects 
of the Law of Gravity — or, more accurately, 
we had to learn to cooperate with a Natural Law 
that we call "gravity” in away to make manned 
flight feasible. 

I recall many steps in the process. Ground 
school training — the flight simulator — fly- 
ing, with an instructor — the dual controls — 
level flight — take-offs and, you hoped, safe 
landings, and finally — the solo, Then more 
difficult maneuvers — instrument flying, in 
worse than "field- grade" weather — and the 
responsibility for other lives in an aircraft 
under your control. And then, an entirely dif- 
ferent set of standards for piloting commercial 
passengers — on scheduled flights. 

The basic idea of System Safety was in- 
herent in the training of a pilot from the very 
first day. You were taught to recognize dif- 
ferent kinds of dangers — like the approach to 
a stall — or entering cloud or turbulent forma- 
tions. You had to achieve the unnatural disci- 
pline of total reliance on instruments. You 
learned that most fatalities were caused when 
pilots ignored the "envelope of danger". That’s 
last as true today. I still fly my own airplane 
and I still have to obey all the rules. You’re 
particularly aware when you have your own 
family on board. Airline passengers takeitfor 
granted that the pilot is behaving like a System 
Safety Engineer — on duty — and totally 
aware. 

Space Flight has forced us to advance and 
accelerate the state of the art of System Safety. 
The System Safety process involves an orderly 
understanding of the hazards to be en- 
countered — and the development of reliable 
ways to control them. There is a lesson here 
for solving planetary problems. 

Whether it's ground safety, industrial safety 
or flight safety — reliability isn't good 
enough -- not any more not with an astro- 


naut on board — not with so much riding on the 
mission. 

Space flight safety provided more complex 
problems to solve — but the principles were 
the same. And all through the process — the 
priceless ingredient was always — and will 
always be — what might be called, the Human 
Reliability Factor — in the careful identifica- 
tion and evaluation of hazards — to human 
life -- to the economics of time, materials and 
money — and to ultimate mission success. The 
principles apply to humans and to hardware. 
People make the hardware. People use the 
hardware. People must control the environment 
or the environment will control the people. 

All these factors directly affect the "viabil- 
ity” of the System — and the viability of any 
"human systems” whose lives are risked. The 
human systems, at least to us, are the most 
priceless of all subsystems. 

We recognize now that system safety must 
be foremost in the minds of managers through- 
out all phases of research and development 
programs as well as during operation of the 
systems. We recall the historic battle — (or 
was it the kingdom?) — that was lost for lack 
of a horseshoe nail. 

During your last Conference, three years 
ago, Dr. George Meuller described System 
Safety Engineering as being "organized common 
sense". I’ll buy that — but common sense seems 
to be getting more uncommon every day. 

There are some bright spots though and I’d 
like to reflect a little light from one of the 
brightest. I’m sure all of you have heard of 
"Spaceship Earth" by now. It’s a useful, though 
rather challenging concept being effectively 
expressed by its inventor, Buckminster Fuller. 
(I’m sure the more "pragmatic" types would 
label it "simplistic",) 

"Bucky" Fuller, now an energetic 75 or so, 
recently wrote a book called "Operating Manual 
for Spaceship Earth”. Since then he has also 
invented and developed the "World Game", I’m 
sure Fuller has defined the patterns related to 
"System Safety Planet Earth" better than I 
could. He thought about the concept and under- 
stood our planet Earth as an integrated sys- 
tem — a long time before the Apollos made 
:heir impacts on our minds and hearts. 

Fuller is optimistic about our chances 
for safely piloting the passengers and crew 
of Spaceship Earth into a more creative, 
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harmonious and prosperous future — l^ we put 
our best minds and strongest wills to ac- 
complish mission success. 

Buckminster Fuller is not just a dreamer — 
although he's not afraid to dream — or to make 
full use of his fertile imagination. He has as- 
sembled impressive credentials. Fuller has 
developed more than 150 separate patents in 
58 countries of the world. 10,000 of his geo- 
desic domes — like the one assembled at 
Expo 67 — are scattered over the glove. His 
name has 26 honorary degrees tagged on behind 
it. He's a multi-disciplinary systems-manage- 
ment task force, all in one — being simultan- 
eously described as architect, cartographer, 
cosmogonist, designer, engineer, inventor, 
mathematician, philosopher — thinker and 
problem-solver — and even a poet. He’s young 
and very idealistic, for his age. How can we 
train more "specialized generalists" like 
Bucky? When asked to describe himself. 
Fuller says, "I am a random element." 

Are you wondering whether Bucky Fuller is 
relevant to a conference on System Safety? I 
think he is. Just as relevant as a conference on 
System Safety is to the mission success of 
Spaceship Earth. 

We understand that System Safety Engineers 
must consider carefully all aspects of the en- 
vironment in which the system is to operate. 
Recently, we have learned something about the 
hazards in space. We have also learned — 
through costly centuries of history — some- 
thing about the hazards on board Spaceship 
Earth. On a planetary scale, we haven't learned 
enough yet about hazard analysis, risk avoid- 
ance or over-all systems management. We 
have a long way to go toward controlling our 
environment. We are just beginning to under- 
stand the Life Cycle of the System. Our essen- 
tial feedback is all too often — distorted, 
garbled in transmission or completely blacked 
out. 

In accordance with the System Safety ap- 
proach, could we revise the mission to reduce 
exposure to hazard and minimize our risks? 
Revise the planetary mission? Perhaps — if 
we knew what our mission really was. That's 
been the age-old riddle for mankind to solve. 


Unless we know our purpose we never can de- 
fine what's elevant". If you don't know where 
you're going — or why — how do you know 
what to take along — how to train yourself — 
or what kind of guidance you will need? 

Maybe when we see the world, as Bucky 
Fuller does, as a complex unity — of inter- 
related and dynamic systems — we might give 
better thought to the origin'll System De- 
signer — and try to discover and define His 
system concept. If He didn't have mission 
success in mind — then nothing has much 
meaning. And if — He was capable of design- 
ing — even the simplest atom — and setting it 
in motion — then He could have had in mind a 
perfect System Safety plan for us to follow. 

The traumatic and inspiring experience of 
Apollo 13 now can be given profound symbolic 
meaning. The life on board became vitally im- 
portant to millions of fellow passengers on 
Spaceship Earth. For a few moments in history 
we glimpsed the highest priority. The support 
crew focussed on solving the most urgent 
proHem — and succeeded like seasoned pro- 
fessionals. 

Can we ever keep our planetary passengers 
safe? Can System Safety Planet Earth ensure 
ultimate mission success? Or will the imma- 
turity and irresponsibility of some of the crew 
members prove fatal to the mission? Will 
some of us — always be willing to escalate the 
risks and amplify the hazards — like playing 
"chicken" on a planetary scale — using risk as 
a weapon system with which to threaten, intim- 
idate, and take over the controls of Spaceship 
Earth — in a ruthless attempt to hijack — 
willing even to abort the mission unless they 
can command the ship — absolutely — once, 
and for all? 

To enjoy life on Earth as a "viable human- 
ity" — "capable of sustaining life and 
growth" — we must also maintain a viable 
planetary system. To achieve mission success 
we must first identify our mission on this 
planet. When we begin to even understand that 
question and to formulate a "common sense" 
approach to find the answer — only then will 
we begin to be secure — for the first time in 
all of human history. 
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I was pleased as well as honored when 
Jerry Lederer invited me to deliver the "kick 
off" remarks to this Second Government-In- 
dustry System Safety Conference. 

To those who have been working on develop- 
ment of new and sophisticated hardware, the 
notion of a systems approach to problemsolv- 
ing is old hat. Everyone in NASA understands 
what is meant by a systems approach and that 
is surely an important reason why this Second 
System Safety Conference can be addressed to 
applications and not to continued discussion of 
what is meant by a M sys terns" approach to 
safety problems. 

As Assistant Secretary for Safety in the 
Department of Transportation it is a function 
of my office to try to help lead the Department 
in the safety area. I believe the systems ap- 
proach to safety problems can make significant 
contributions in improving transportation 
safety. The infusion of systems concepts and 
thinking into the overall approach to safety 
programs will, in my judgment, be of benefit 
to all concerned. I'm certain I won't have any 
difficulty selling the idea of a systems ap- 
proach to transportation safety to this group. 
I am sure that my colleagues in the Department 
of Transportation are equally interested. 

Although the Department of Transportation 
is four years old the decision was only re- 
cently made to establish a single, high-level 
advisor with Department-wide responsibility 
for safety coordination. The Secretary expects 
me to assist him in establishing uniform safety 
policies and practices throughout the Depart- 
ment and to help him evaluate the responsive- 
ness of our safety programs to the public need. 
He outlined my responsibilities quite clearly 
when he said, and I quote; 

"The Department's safety programs are 
now administered under differing philo- 
sophical and procedural concepts. Some of 
these differences are caused by the various 
statutes which created the programs and 
some have been a matter of administrative 
choice. I believe that all of these safety 
programs, although administered by dif- 
ferent elements of the Department should 
be administered under uniform policies to 
the extent possible." 

In short, what the Secretary had in mind 
was that the Department's safety programs be 
regarded as a unified transportation safety 


system. It is an important part of my office's 
function to help lead the Department toward 
development of a unified, consistent, systems 
view of transportation safety. 

Before discussing the kinds of systems 
safety activities that we are considering, it's 
worth taking a few moments to examine what 
is now being done. I cannot over-emphasize the 
importance attached to safety within the De- 
partment of Transportation. The legislation 
which established the Department specifically 
requires that it develop "national transporta- 
tion policies and programs conducive to the 
provision of fast, safe, efficient, and convenient 
transportation." The word safe, which is 
strongly emphasized in the legislation, is given 
utmost attention throughout the Department, 
and continues to grow in importance. 

Each of the major operating administrations 
within the Department has one or more of its 
key offices devoted exclusively or almost ex- 
clusively to safety. The Federal Highway Ad- 
ministration has an Associate Administrator 
who is responsible for Motor Carrier and High- 
way Safety. 

The Coast Guard has key offices respons- 
ible for Merchant Marine and Boating 
Safety. 

And the Federal Railroad Administration 
has a Bureau of Railroad Safety. 

These are all positions at the highest levels 
within their agencies. Safety is, of course, what 
the National Highway Traffic Safety Adminis- 
tration is all about. To a very great extent, the 
same is true of the Federal Aviation Admin- 
istration, The Offices of Hazardous Materials 
and Gas Pipeline Safety are pure safety regu- 
latory organizations. 

The National Transportation Safety Board, 
created by Congress under the Transportation 
Act of 1966, has broad powers to recommend 
safety practices in all modes of transportation. 
It determines the probable cause of accidents, 
and proposes corrective actions through safety 
recommendations. 

Secretary Volpe has clearly indicated that 
the operating administrations within the De- 
partment shall retain their safety responsi- 
bilities, However, he expects my office "to 
assist in the development of more compre- 
hensive, coordinated and cohesive vehicle and 
system safety programs in and among the 
operating administrations," 
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The preceding comments indicate the very 
high priority given to safety in the Department 
of Transportation. The presence of several 
speakers from our Department at this meeting 
is further witness to the importance we attac s 
to safety. 1 know that excellent system safety 
efforts are going forward within individual 
modes of transportation. But I am far less 
certain about our basis for determining how 
safety resources and efforts should be allo- 
cated among either competing programs within 
individual modes, or among all of the modes. 

I feel confident that we do a good job of ap- 
plying systems safety skills to particular prob- 
lem areas. But I have doubts about the perspec- 
tive with which we allocate our systems safety 
resources among the numerous demands on 
these resources. I will try to illustrate this 
point with several examples of situations tnat 
we face within the Department of Transporta- 
tion. 

Consider that motor vehicle accidents ac- 
count for over 90 percent of all transportation 
fatalities in the United States. As a result, a 
one percent increase in the motor vehicle death 
toll would have an approximately equivalent 
effect on total lives lost as a 10 percent in- 
crease in the combined death toll from all other 
causes of transportation fatalities. Viewed the 
other way around, if we could reduce motor 
vehicle fatalities by one percent, we would save 
roughly the same number of lives as we would 
if we reduced fatalities in all of other modes 
combined by 10 percent. This simple illustra- 
tion poses what should be an obvious question. 
Namely: What are the relative results of safety 
improvements in the various modes of our 
transportation system? And, are we making 
our transportation system safety investments 
in ways that promise to maximize the number 
of lives saved? I’m not convinced that the 
answer to such questions have been explicitly 
worked out or furnished to the Secretary of 
Transportation, 

It seems clear that the answer to such sys- 
tems safety questions would place the Secretary 
in a better position to make decisions on allo- 
cating the Department’s safety resources 
among the several modes, I have a strong 
suspicion that such questions go unanswered 
in many Government agencies. We, as safety 
specialists, should be concerned that answers 
to such broad systems safety questions are pro- 


vided — or, at least, that the questions are 
explicitly raised. 

Comparing 1970 with 1969, there was a 2 
percent decline in fatal transportation acci- 
dents. This decline was dominated by, and 
principally reflects, a 2 percent decline in 
motor vehicle accidents. However, in 1970 
accidents either declined or held steady 
in all modes of transportation. This oc- 
curred despite considerable growth in 
transportation usage. Aviation fatalities 
declined by about 10 percent, and rail- 
road fatalities declined by about 5 per- 
cent. At the same time, the two other 
major areas of transportation fatalities— 
marine and grade-crossing accidents — 
remained roughly unchanged. 

Such comparative data pose an interesting 
question for Department of Transportation sys- 
tems safety specialists to ponder. Could we, 
or should we, set ourselves arbitrary safety 
targets? For example, we could establish an 
objective that the number of fatalities in each 
transportation mode should not be permitted to 
increase. Such an objective would doubtlessly 
lead to wide disparities in the amounts spent 
for lives saved in different modes, and could 
probably not be justified on economic grounds 
alone. Nevertheless, information on the cost of 
such a policy objective would be of immense 
value to the Secretary. 

Secretary Voipe recently testified before a 
Senate Committee that it is a Department of 
Transportation goal to cut in half by 1980 the 
number of people killed on our highways. This 
provides a specific goal for the Department of 
Transportation. The questions that its systems 
safety specialists ask are: First, what are the 
alternatives available for achieving this spe- 
cific goal? Second, what are the costs asso- 
ciated with each of these alternatives? Some 
of these costs will be measured in dollars, 
while others will be measured in terms of con- 
straints imposed on operators of motor ve- 
hicles. 

I believe there is an important need for de- 
velopment of information on the safety options 
available to agency or department top manage- 
ment, and on the costs associated with these 
options. In the Department of Transportation, 
the options should include such choices as 
holding the line on increases in accidents, or 
cutt“< ig accidents in half by some particular 
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time. This is the kind of information which 
will provide top management with perspective 
on their safety problems, and will furnish 
them with the material they need to go forward 
with safety programs. It is my impression that 
such information is now sorely lacking in many, 
if not all, government agencies. 

My office has been assigned the responsi- 
bility for initiating work on development of a 
series of goals and objectives for the Depart- 
ment of Transportation safety programs. 
Initial steps in carrying out this assignment 
will involve making forecasts of the number of 
accidents that can be expected in each of the 
several modes of transportation, and of ex- 
amining trends and accident rates. Thereafter, 
it will be necessary to consider possible acci- 
dent reducing measures as well as the savings 
that will result from the reduced accidents. 

As I have tried to emphasize, this is the kind 
of information the Secretary needs for all 
modes of transportation. He needs to know a 
great deal more about the cost and results of 
system safety improvements. He has no choice 
but to view the safety problem in the perspec- 
tive of costs and benefits. As safety specialists, 
we should also try to view the problems this 
way. Then we wil) be in a position to provide 
our bosses with the information they need. 

We must approach our problem broadly. 
Thus, analyses of means to reduce automobile 
accidents is not limited to such considerations 
as the building of better roads and more crash- 
worthy cars. It also examines such options as 
expenditures for improvement of traffic law 
enforcement. Or for more prominently adver- 
tising the dangers of drinking and driving. Or 
for improving (and perhaps subsidizing) state 
auto inspection programs. The point is that re- 
ducing automobile accidents is a systems prob- 
lem in the broadest sense, and the mechanical 
steps that might be taken to improve the situa- 
tion should be viewed as nothing more than 
segments among a broad array of alternatives. 
Indeed, these alternatives should include pos- 
sible steps that might be taken to divert people 


from use of autos to use of far safer public 
modes of transportation. 

Research now going forward in the Depart- 
ment of Transportation provides an example of 
systems safety analysis which, I believe, very 
nicely illustrates the kinds of broad perspective 
in which safety can and should be approached. 
Safety would be improved if travelers could be 
induced to use public transportation instead of 
their own autos. It is observed that common 
carriers are required to maintain a degree of 
safety far in excess of that in user operated 
modes. This high level of safety is ultimately 
reflected in the cost to the fare-paying passen- 
ger. On the other hand, the costs of the Na- 
tional Highway Safety Program have been 
largely borne by the public at large through 
general taxation. As a result of these actions, 
safety costs on private transportation are sub- 
sidized by the Government. Such governmental 
action tends to raise the cost of a public trans- 
portation mode, and to lower the cost of a pri- 
vate transportation mode. As a result, govern- 
mental action in this case tends to encourage 
a shift from safer public modes of transporta- 
tion to a less safe private mode of transporta- 
tion. Viewed strictly from a safety viewpoint, 
and one must remember there are other con- 
siderations, this behavior is possibly the re- 
verse of what it ought to be. 

I believe that a systems approach to safety 
can have its largest payoff in the broad area of 
development of safety policy. To be effective at 
the highest levels of government, systems 
safety analysts must learn to view our problems 
in the same terms as the top management of 
our agencies. We must also learn to work out 
the kinds of safety trade-offs that top manage- 
ment of our agencies can easily understand and 
easily utilize. We must become skilled at taking 
account in our analyses of the full range of 
options available. If we learn to do all of these 
things well, we will have contributed signifi- 
cantly to making America a safer place in which 
to live. 

Thank you. 
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INTRODUCTION 

All decisions are based consciously or un- 
consciously on the balance between benefits 
and risk. That is true for all of us, at all 
times, I am going to discuss this balance, and 
for that purpose will divide applied technology 
into two parts* Benefit-oriented and Risk or 
Uncertainty-oriented. Benefit technology in- 
cludes design, development, manufacturing or 
construction, operations. Risk or uncertainty 
technology includes safety, reliability, quality 
assurance, test, maintenance, as shown in 
fig. 1. This picture is key to the decision- 
making process. The process may be invisible, 
taking place in the decision-maker's mlndfrom 
his knowledge of the problem, or at the other 
extreme, it may involve a process with inde- 
pendent benefit and risk departments support- 
ing and, at times, confronting each other. But 
always the decision will be affected by the bal- 
ance with which relevant information of the 
benefit and risk technologies have reached the 
consciousness of the policy maker and stimu- 
lated his interest. 

It is the Importance of this balance, its 
present and potential status that is the subject 
of this paper. The premise of the discussion 
that follows is that for decision and policy mak- 
ing at all levels, knowledge of the consequences 
of risk is as important as knowledge and con- 
sequences of benefits, 

Perhaps the purpose of the paper is beat 
depicted in the two cartoons of fig. 2 and 3. 
Pig. 2 represents current unbalanced benefit 
of risk presentations, while fig. 3 represents 
balanced conditions, more helpful to the deci- 
sion maker. 

The discussion of risk brings different 
things to mind to different people. Here, I use 
the term very broadly. Risk exists because one 
is uncertain about some things. These un- 
certainties could range in technology from 
areas beyond the state of the art, and lack of 
knowledge about the environment, to analyses 
and tests not made, capabilities not used, and 
human errors of all kind. 

I treat risk and uncertainties as synony- 
mous. Technically I prefer uncertainties -Risk 
implies a number, often of vague meaning. 
Uncertainty gives a sense of needing to know 
more and wanting to do something about it. 
Professionally I think uncertainty; for public 
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relations and lay communication I talk risk - 
it seems a nicer, more generally acceptable 
word. 

In addressing this subject to the safety 
community, I should point out that system 
safety is a most important part of the risk 
technology and holds a specially politically 
sensitive position in the eyes of management. 

COMMUNICATION: A PRIMARY NEED 

Nearly all engineers are dedicated to their 
work; system safety engineers are no exception 
nor are other types of engineers working In the 
risk technologies. But being trusted is not 
enough; we must Justify our utility in the eyes 
of the decision-makers in relation to that of 
others who bear other technical responsibili- 
ties. It is not sufficient to argue the importance 
of the work; we must convey its value. It must 
be expressed in realistic terms and attractive 
form; and it must make it possible for the de- 
cision-maker to compare the benefit-risk ratio 
of alternative courses of action. 

The responsibility for deciding how much 
risk to take is generally viewed as the ex- 
clusive province of top or near-top manage- 
ment. And indeed top management's activities 
are almost exclusively focused on balancing 
risk against benefits on a macro scale, but 
down the line Innumerable risk-benefit micro 
decisions are made without knowledge of higher 
management. Some of these turn out not to be 
micro at all, and become known only when their 
effects become visible, sometimes too late for 
correction or late enough for correction to be 
costly. 

There are a number of reasons for Judg- 
ment to be slanted in favor of benefit, meaning 
that there is a tendency to take more risk than 
would seem desirable. This condition can be 
reversed following a serious accident or crisis. 
Then, for a while, exceptional attention is given 
to understanding risk and reducing it. But the 
full effect is usually temporary. There is a 
natural tendency to return to the state of mind 
that existed prior to the crisis, to degrade or 
even forget some of the "lessons learned." The 
trend rapidly accelerates as the team that 
lived through the tense atmosphere of the crisis 
is dispersed among other programs. Some 
procedures which were adopted may be retained 
but the degree of attention given to them tends 
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to drop, and the risk engineers have a harder 
time achieving effective communication. 

Each type of risk activity includes a variety 
of steps, procedures and techniques, but they 
have a common ultimate purpose. It is to 
warn of the probability of Impending trouble , 
the resources and time required to reduce that 
probability and reduce the probable damaging 
effects if it occurred. The warning is given to 
the appropriate levels of the benefit activity. 
With this information the decision-maker is in 
a position to decide whether the risk is suf- 
ficiently low to permit operation or whether it 
is preferable to take steps to reduce it. 

The decision-maker’s judgment as to the 
desirable benefit-risk ration depends on a 
number of considerations and their balance is 
affected by current material and political pres- 
sures. This judgment is a very personal mat- 
ter. A gambler will under-value risk, a miser 
will overvalue it — at least from the point of the 
middle-of-the roader. 

Facts and analytical logic limit the area 
within which judgment must rule. Outside this 
judgment area quantitative facts dominate. 
Experience shows that hard data tends to dis- 
place the soft and tenuous, even logic, some- 
times with little regard to importance. In the 
soft area it often happens that the personality 
of him who presents the information has more 
impact than the information itself. 

In most organizations which are not tech- 
nically oriented, no group is assigned the 
specific responsibility of assessing risk; 
everyone is exp^ed to know that risk exists 
and make decisions within the area of his pro- 
ductive responsibility in accordance with his 
best judgment. But does everyone at each 
decision level give consideration to the balance 
between benefits and risk? The answer is yes.' 
Everyone does, but often it is done uncon- 
sciously with little conscious realization of the 
risk introduced. Seldom is the risk involved 
systematically communicated to higher man- 
agement. The effect is cumulative; as one deci- 
sion influences another the risks add, and many 
uncertainties — assumptions, approximations, 
conflicts, etc. — are lost to the decision- 
making process. 

Expressed in this way, it would sr. m that 
current decision-making process is terrible. 
We know, however, that it Is not so; decisions 
are on the whole good, except sometimes.... 


In technically oriented organizations, how- 
ever, there exist departments specifically 
oriented to certain areas of risk. Some, like 
system safety and reliability, are mainly 
analytical; others like quality assurance and 
tests (of the qualifying and acceptance type) 
are largely processing. These areas provide 
information on uncertainties and tend to 
counteract the normal tendency to under- 
estimate risk. 

THINK- POSITIVE SYNDROME 

The titles of the risk activities — Safety, 
Reliability, Quality Assurance, Test, etc. — 
appear on the doors of these department, but 
when one enters one hears about failures, 
accidents, defects and anomalies. Why? Be- 
cause the terms "reliability," "safety," 
"quality assurance" and "tests" are reassur- 
ing, while "failures," "accidents," "defects" 
and "anomalies" are not. But professionally 
the specific work consists in reducing these 
uncertainties, and any effort to quantify them 
focuses on estimating the probability of their 
occurrence. 

One can refer to these "risk departments" 
as "uncertainty control departments" as better 
describing the type of work. Risk gives one a 
sense of a number, often of uncertain meaning, 
while uncertainty brings to mind the specific 
elements that produce risk and even a desire 
to do something about each one. When uncer- 
tainty professionals talk to policy-makers they 
will use the terminology of their titles; thev 
will state, for instance, that the reliability is 
.9992 and not that the probability of failure is 
8 x 1(H — reliability sounds better than prob- 
ability of failure, for the same reason that bet- 
ting on a horse is based not on the probability 
of its losing but of its winning. 

This type of phenomenon I have termed the 
"Think-Positive Syndrome.* 

In industry, as in government, positive 
achievement is psychologically a must. As in 
the horse racing analogy, man loses interest 
in probabilities which involve considering los- 
ing rather than winning, even though the mathe- 
matical odds are not affected. Given the option, 

•Wilmott, R, M. "Engineering Truth in Competitive 
Environment: IEEE Spectrum, VoU 7, May 1970, 
PP 45-49 
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his Interest will focus on benefits rather than 
uncertainties. 

While the think-positive state of mind is 
essential to a program, it has some damaging 
consequences, the common basis of which is 
the tendency to unbalance the benefit-risk ratio 
in favor of the benefits. 

The problems it engenders start with the 
statement of goals. These are mainly of the 
benefit type, most of which can be expressed 
quantitatively such as payload of so many 
pounds, cost so many dollars, schedule of so 
many days and equipment of specified physical 
characteristics to make measurements or 
observations. In the risk area the probability 
of failure is difficult to quantify. Numbers here, 
for reasons difficult to refute, are currently 
discredited. The desire to achieve benefit 
goals puts pressure to underestimate un- 
certainties and risk. The pressure is high be- 
cause the goals are set at a level somewhat 
beyond the state of the art and risk estimates 
give way relatively easily because of the flexi- 
bility of current techniques for expressing un- 
certainties in numbers. 

In one form or another the syndrome affects 
all stages of a program. It tends to make a 
whole organization lean toward giving more 
consideration to performance information 
(usually hard data) rather than to uncertainties 
(often soft or tenuous data) regardless of im- 
portance, or more pragmatically ;o lean toward 
underestimating rather than overestimating 
cost and time, and later in the program to 
sacrifice too readily risk-reducing activities 
to protect schedule and budget. The think- 
positive syndrome tends to make communica- 
tion difficult and Inefficient, because the 
analysis of risk inevitably focuses on un- 
certainties, which to the non-professional are 
negative aspects of engineering and manage- 
ment, although uncovering, assessing and doing 
something about them is clearly one of the 
most positive things an engineering group can 
do. 

It is under stress, when funds and schedules 
are tight, when crises occur, that the undesir- 
able features of the think-positive syndrome 
are most likely to be prominent. Under these 
conditions, the communication gap between 
policymakers and uncertainty engineers is 
particularly great, much greater than the gap 
that often exists with design und operations 


engineers. The pragmatic reason is that the 
latter are in a sense disposable. Design engi- 
neers are essential to build hardware, and 
operational engineers to operate it, but un- 
certainly engineers are needed to point out 
how uncertainties could be reduced, but pri- 
marily only to help the policymaker with risk 
data and analyses; and policymakers have for 
centuries made policies without them. While a 
few managers, design and operating engineers 
are beginning to welcome the analyses and ad- 
vice of system safety and reliability engineers, 
the majority find them to be a nagging inter- 
ference with getting on with their work. They 
often consider that existing talent in design, 
operations and policymaking can meet sub- 
stantially all such peripheral requirements. 
Under stress there is a great temptation to 
save money and time by reducing or even 
eliminating the risk departments. 

Is it desirable to carry out such a policy? 
At first glance it would seem so, for in these 
areas there are no techniques which a design 
engineer would find difficult to understand and 
learn. Why, then, did such disciplines as system 
safety and reliability separate themselves from 
design engineering to a greater extent than such 
specialized functions as structures, thermal 
analysis, communications, etc.? 

There are two reasons for maintaining risk 
and benefit technologies in separate depart- 
ments. One is die importance to quality of the 
work Interest of the Individual worker and the 
other is the benefit that is derived from con- 
frontation. 

WORK INTEREST 

The worker must be interested in his work 
for it to be consistently well done. If he has to 
cover two areas, in the first of which he has 
considerably more Interest than in the second, 
he will inevitably give more than proportionate 
attention to the first. The difference is par- 
ticularly noticeable when he is working under 
the pressure of a tight sche&ile. If consistently 
high quality is required, the two areas should 
be separated and given to different workers. 
The separation will have die advantage that 
each worker will become more knowledgeable 
in the area to which be has been assigned, but 
much more important la that each area will be 
the primary interest and will receive the 
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primary attention of a worker. This situation 
exists strongly in the relation between the 
benefit and risk technologies. Design engineers 
are typically much more interested in the out- 
puts and techniques of design than the;’ are ir. 
those of system safety and reliability; they are 
not, therefore, likely to have equal interest or 
give consistent attention to the risk area, if 
they are required to cover both. 

In the attached table I have listed my im- 
pression of the relative degree of interest of 
five groups — Management, Design Engineer- 
ing and the three risk assessment groups — 
Safety, Reliability ana Maintenance. Primary 
interest is indicated by a dark circle and sec- 
ondary by a grey triangle. The number 1 in- 
dicat s a somewhat greater interest than the 
number 2. The major difference in the interest 
is between the primary and secondary. This 
difference is to be judged not by verbal opinions 
but by action, by the extent to which under 
stress the secondary Interest will be sacrificed 
for the primary; the extent to which system 
safety, for instance, will be sacrificed for 
echedule or for payload carried by a space- 
craft; the extent to which as insistent a demand 
is made and expected for competence in system 
safety as in design; the importance given to 
introducing system safety considerations at the 
initial, the conceptual, as well as in the later 
stages of a program. 

The table also shows that in the process of 
policy making three factors — cost, time, and 
key performance parameters — dominate the 
uncertainty control areas and the non-key per- 
formance parameters. Is the status of un- 
certainty control in policy-making process 
low because uncertainty control is not im- 
portant? 

The answer is that it is important, often the 
most important element when the whole life of 
the unit is the criterion, but often it is not Im- 
portant for the short term. And one must re- 
member the forces on the policy-maker. For 
him the short term dominates, and long term 
effects and goals are considered only when 
short term needs are not pressing — and the 
latter •‘ondition hardly ever occurs. There are 
few fields in which risk technologies have a 
standing at the top decision levels equals to 
that of benefit technologies. One outstanding 
exception is the Office of Manned Space Flight 
of NASA. 


Even this handicap of long versus short 
term in giving greater attention to uncertainties 
might be overcome in time, if the *’sk area 3 
were to provide information important and use- 
ful to making policy. They can warn of danger, 
they can advise Design regarding improve- 
ment, but it is difficult for them to develop a 
basis for statements such as "The design has 
deficiencies which will probably cost $X over 
its life, which could be reduced by $Y for a 
cost of $Z and a delay of T. " Without this type 
of information how can a rations' decision be 
made? This is the hard kind of data which 
design engineers can provide. Uncertainty 
engineers tend to provide soft data; safety 
engineers often provide only a list of some of 
the things that could happen. As already 
stated, experience indicates that hard data 
displaces soft almost regardless of importance. 

BENEFIT F«OM CONFRONTATION 

A passive organization stagnates. Confron- 
tation is essential to achievement, to progress 
and innovation. It can also be destructive, If 
it develops into personal conflicts. Ideally it is 
controlled and has a strong element of coopera- 
tion toward a common purpose. I apply the 
words confrontative and conflict in the clash of 
opinions to imply different attitudes. I visualize 
confrontation as an objective presentation ctf 
differences. Conflict includes an element of 
emotion and antagonism. Confrontative is con- 
structive, conflict is destructive, in complex 
programs there is commonly a clash between 
functional and institutional managers. The 
initial confrontative sometimes degrades into 
conflict. On the whole the* clash is beneficial. 
But the most potentially valuable confrontation 
for effective decision-making is between the 
benefit and risk areas. It would seem Impor- 
tant, therefore, to keep them separate, each 
one as fully integrated as other practical con- 
siderations permit. 

KNOWLEDGE: DESIGN AND UNCERTAINTIES 

We know what we can design with a con- 
siderable degree of confidence, and this knowl- 
edge 13 the stimulus that Impels us to go ahead 
with a program. However, we know little 
quantitatively of the risk we take in making 
these decisions. We know how to process all 


kinds of data, but while we have much data on 
how to do things, we have little on assessing 
risk. We have universally great confidence in 
the capability of those who design, but we look 
with a degree of suspicion on those who deal 
with uncertainties. 

In the course of developing a system we are 
constantly reducing and deciding what un- 
certainties to retain. It would be folly to carry 
out all the analyses and tests we would like to 
make, but we should keep in mind that when- 
ever we decide to eliminate something, some 
analysis or test, we are increasing the un- 
certainties. At the end of the process, in our 
review of what we have done, we should include 
also what we have not done. Otherwise we can 
hardly judge what uncertainties remain. The 
uncertainties that remain are never zero. 

Uncertainty is made up of a lot of little 
things. It includes also big, clearly visible 
problems, but these are usually, though not 
always, well recognized and taken care of, but 
the little ones slip by and can easily be neglected 
or even deliberately disregarded, and the sum 
of them can be far from negligible. For that 
reason, developing statistics is often difficult. 
In the case of system safety, for instance, the 
number of accidents due to a specific deficiency 
during a particular operation may be too small 
for meaningful statistics. In operational anom- 
alies, however, there lies a huge fund of valu- 
able data largely unused. They could be aggre- 
gated, listed with their source, cause, and the 
analysis, reviews, tests, inspection where they 
could or should have been caught. We should 
not over-concentrate on major mission fail- 
ures; other anomalies are just as important 
real-life data to support future design, reduc- 
tion of uncertainties, risk assessment, and 
decisions and to select, on the basis of their 
efficiency, uncertainty removal techniques - 
analysis, tests, reviews, etc. Applying such 
data to anal sss of the type of failure mode and 
effects, one could develop quantitative, occur- 
rence estimates of the conditions that could 
produce accidents. We would then begin to de- 
rive some sense of the probability of accidents 
taking place though none had yet occurred and 
even before a system was put into operation. 
A substantial and effective data bank of de- 
rived uncertainty information might thus be 
built up. 


The development of this technique and the 
building of such a data bank would change 
radically the importance and policy status of 
the uncertainty technology; it would rehabilitate 
the status of the "numbers game;" it would 
bring estimates of risk, of the consequence and 
penalties of potential deficiencies and un- 
certainties of a program to a level of manage- 
ment appreciation comparable to that of the 
projected benefits. Management would then at 
last have balanced information on benefits and 
risk, without which decisions have to be largely 
a matter of unsupported judgment. We can even 
consider that contractors could be induced to 
establish risk during the development of a com- 
plex system in some systematic manner, so 
that both he and the buyer can assess and 
monitor the true progress of a project at each 
of its critical stages. 

CONCLUSIONS 

No specific formula is presented on how to 
introduce into an organization the principles I 
have outlined regarding the utility of the risk 
technologies and their relationship to benefit 
technologies. Clearly the best operation will 
vary greatly with the industry and its current 
pattern of operation. Moreover, it is by no 
means obvious where improvement would be 
cost effective. Intuitively one can expect only 
slow advance in the science of risk technology 
while it remains fragmented. Strong advance 
could be expected by integrating its several 
elements into a single department with its man- 
ager responsible for warning of dangers aris- 
ing out of uncertainties. 

The importance to quality of worker interest 
and the value of confrontation points to the 
importance of separating the management of 
risk and benefit technologies. There is no 
clear argument, however, whether raising the 
level of efforts of the risk technologies would 
be beneficial or not. 

Looking back over this discussion one can- 
not help but feel that in its development, its 
data base and the degree of attention from 
management, risk technologies lag far behind 
benefit technologies. The lag in these areas 
is undoubtedly the reason for the greater 
attraction that benefit technologies have for 
engineers. That lag of Itself does not justify 
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an increased effort in the risk area. Judging 
from the experience of some of the large pro- 
grams one could reasonably come to the con- 
clusion that adequate attention is being given 
to uncertainties, even taking into account the 
details of performance achieved, the anomalies 
experienced and the risks that they imply. 

I have outlined a number of arguments 
describing existing conditions and pressures 
which lead to underestimating risk. All seem 
valid, but what value would accrue if these 
areas were improved, it is difficult to judge. 
The gain might indeed be little, but also it 
might be considerable. One might expect over- 
all performance of many large programs to be 
sensitive to the quality of the decision process. 
If that is so, a small improvement should 
produce valuable results. Among the critical 
parameters of control one would expect to 
include risk at a level of attention no less than 
that given to any other parameter, including 
schedule and cost, and traded off on some 
reasonably comparable basis. 

There is probably no controversy that an 
increased knowledge of risk in complex sys- 
tems would help decision making. The con- 
troversial question is whether the improve- 
ment warrants the effort. Many managers feel 
that the present decision process is satisfac- 
tory; others don't. Among the latter is Under- 
secretary of Defense Packard. The fact is that 
we do not know; neither do we know what 
increased risk we incur when, under tight 
budgets, when crises are more likely to occur, 
we reduce the level of effort in the uncertainty 
areas. 

It seems important to develop a better 
sense of the benefits that knowledge of risk 
could provide via the decision-making process. 
To carry this out will require an improved 
data base. By experiment and analysis on the 
effects of increasing the contribution of risk 
technologies, one could develop a better under- 
standing of their potentiality and limitations. 

The analysis in this paper has been written 
mainly with the idea of clarifying to technolo- 
gists and analysts the place of the risk technol- 
ogies in the managerial environment. Can it 
also indicate to management a possible line of 
approach to some of its needs? Judging from 
the demand of other countries for American 
management expertise we can reasonably con- 


sider ourselves equal to the best and possibly 
generally better in this field. But the urge 
for progress is in our blood. How do we 
progress in a field without guide lines, with- 
out goals, without means of measurement? 
The process we have followed is first to rec- 
ognize some weak spots in our operation, and 
shortly sure enough, some ambitious top 
management tries an approach different from 
the current pattern for its type of operation. 
Whether it is an improvement or not is a matter 
of opinion, for it is almost always impossible 
to measure. Success is usually more felt than 
proven. To make such a move is generally 
dangerous to the individual, for criticism of 
managerial inovation, overt and covert, from 
managerial peers are easy to make and likely 
to abound, while praise comes more reluc- 
tantly. Experiments are difficult to carry out, 
for administrative changes may be strongly 
resisted b'' special groups and managerial 
levels. They generate barriers bom of in- 
security and fears - fear of being measured, 
of loss of authority and of freedom of action. 
The whole field is replete with prejudices and 
protective mechanisms. 

So described the environment does not seem 
well suited to embrace a search for progress. 
Yet, these barriers are constantly being over- 
come, for progress has come consistently. 
This paper points to an area which isjpeady 
for progress. I believe it is a most inp|!ortant 
area, one in which a quantum step ot^rogress 
can prehaps be achieved. The discussion of the 
paper was focused on technology, but the key 
element - the unbalance between benefits and 
risk in the decision making process - elements 
far beyond the boundaries of technology. If a 
systematic attack is to be made on this un- 
balance, technology is the logical first area to 
approach, for there the problem is most 
clearly definable, and its individual risk areas 
are well stocked, though still inadequately, 
with data, techniques and expert personnel. 

My personal hut unsupported opinion is that 
risk technology is a great and coming field. 
Advance there is needed more than in other 
technologies. It is not only needed in the hard 
area of engineering, but even more so in the 
soft area of the social sciences. It is rapidly 
changing from an art of judgment to a technol- 
ogy where we can begin to see the possibility 
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of reliable numbers based on physics and 
real life experience. We still nave a long way 
to go before we can approach the values that 
this technology could provide. Risk assess- 
ment, supported by data and techniques for pre- 
diction, are receiving rapidly growing attention 
in many fields. 

I would like to add one final opinion appli- 
cable to both the public and private sectors: 


If one does not include throughout a major 
project a systematic uncovering of uncer- 
tainties and at each major milestone a thorough 
official assessment of risk, one probably loses 
one of the most important benefits for the 
future the project can provide - developing real 
life statistical data and learning how to apply 
them to decision-making. — ~ 

We still have much to learn.* 
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CONFRONTATION 

BOCFtT VS RISK - 
IS ESSENTIAL ELEMENT OF DECISION 






NOT KNOWN 

-LOSS INCURRED BY REDUCTION OF EFFORT IN 
UNCERTAINTY AREAS FOR SCHEDULE & COST: 
NOT KNOWN 
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IMPORTANT TO DEVELOP A SENSE OF THE DECISION VALUE OF BETTER 
BALANCE IN KNOWLEDGE OF BENEFIT-RISK RATIO BY: 

-IMPROVED DATA BASE 

—TRIALS & ANALYSIS 

—STIMULATION OF PR I VATE CONfRACTORS 
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A NEW DISCIPLINE 

Credit safety engineers for a new systems 
theory to the complex aerospace industry. But 
credit also the safety managers for making 
their theory apply to the average industrial 
management activity. 

A system is simply an assemblage of things 
and parts that go to make up a whole. Space 
engineers think of theircomplex and dangerous 
manufacture and manipulation of space prod- 
ucts as a system. "All systems go” is their 
famous watchwork. The Defense Department 
has a set of general requirements for applying 
systems safety engineering principles to the 
life-cycle of weapons systems including the 
conceptual design, engineering, fabrication, 
testing, installation, checkout, operation, and 
disposal. (1) 

This approach to optimal safety effective- 
ness has given the engineering side of loss 
prevention a "new look" that gives prorotse to 
an exciting future for the technical safety 
expens. The application of systems theory, 
however, is not limited to safety engineering 
and hardware. It can and does apply to any 
number of things, some of which are quite 
familiar to us. For example: a training system, 
a transportation system, the Federal Reserve 
System, the respiratory system, the solar sys- 
tem, the school system, and so or. THE 
THEORY OF SYSTEMS CAN BE APPLIED TO 
MANAGEMENT, 

MANAGEMENT IS A SYSTEM 

In a very practical sense, management it- 
self is a system every bit as complex as any 
system of hardware. Organizations are man- 
made systems with many interrelated func- 
tional and subfunctional parts. Each is respon- 
sible to the other in the accomplishment of a 
common mission of the business. Each must 
work in harmony to accomplish mutual goals. 

"The systems concept can be primarily a 
way of thinking about the job of managing" 
according to the authors <ri a textbook that 
presents management theory in a "systems" 
framework. (2) This concept of visualizing 
the system of management as a series of parts 
working together to contribute to a whole is 
very exciting for safety managers. This book 
along with the works of Gullck, Urwick, Blake, 
Liken, Drucker, McGreggor, and others is 


recommended reading for every safety manager 
desiring to adopt the systems approach to 
accident loss prevention. 

MANAGEMENT CAN BE DEFICIENT 

H. W. Heinrich, (3) a pioneer in the field 
of accident loss prevention, pointed out that 
accident events have (1) unsafe acts and/or 
personal factors and (2) unsafe conditions. 
What Heinrich did not discuss was the man- 
agerial failures or system breakdowns that are 
basic reasons for human errors and condition 
defects. These factors must be translated into 
broader areas of managerial responsibilities 
involving policies, organization, staffing, com- 
munication, coordination, decisionmaking, etc. 
at all levels of the corporate hierarchy. In 
this concept, safety managers must stop visu- 
alizing the problem only with the individual 
(supervisor or employee), step back, and see 
the problem from the systems point of view. 

PERFORMANCE ERRORS CALLED 
"ACCIDENTS" 

Accidents are only managerial excuses for 
operational errors that result from manager 
failures. This concept was introduced in 1962 
by Dr. John J. Brownfaln who said, "In science, 
if you know the cause of an event, that event 
is not an accident." (4) He went on to explain 
that "In everyday life, if we do not like the end 
result of this event, and at the same time want 
to escape personal responsibility for it, we are 
inclined to call it an accident." 

Dr. Brownfaln's observations are Important 
in the system safety management approach to 
reducing operational errors called accidents. 
Few will disagree that causes of most accidents 
(events) are well documented. Thus, what safety 
managers are really doing for management is 
programming to eliminate performance fail- 
ures that produce injury and property damage. 
Carrying this one step further, one can say that 
safety activities are directed more at man- 
agerial Improvement than the reduction of 
personal suffering, although the end result 
does not change. 

THE FUTURE OF SYSTEMS SAFETY 
MANAGEMENT 

Systems safety management holds great 
promise as a new discipline for reducing 
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operating errors, conserving labor resources, 
avoiding operating costs due to mistakes, and 
for improving managerial techniques. The 
management approach to safety involves the 
process of business viz-a-viz the process of 
things. In this process we are concerned more 
with the interrelationships of all levels of man- 
agement in relation to the prevention of loss 
rather than only with the line manager (super- 
visor). 

After six years of practical application and 
research with the systems theory and safety 
management, it is my observation that: 

* Improvement of a critical managerial 
weakness in the organizational system 
that contributes to operational errors 
can be equally as important as protect- 
ing a critical function of machinery. One 
cannot succeed very long without the 
other. 

* The principle of redundancy (multiple 
channels of operation to reduce possi- 
bility of failure) can apply to the process 
of management as well as to a mechanical 
operation. 

* Systems reliability can be as important 
to the excellence of management and its 
functional entities as to the successful 
engineering of hardware components. 

In short, any operating error that is re- 
ported as an accident, can be examined for 
managerial failures as well as human errors 
and condition defects. The managerial defi- 
ciencies can be traced to the several manage- 
ment systems and, in turn, to their managerial 
subsystems. The isolation, quantification, and 
cost evaluation of these managerial concerns 
then become an important part of decision- 
making and eventual systems improvement. 

MANAGEMENT MUST BE STUDIED 

The successful use of the systems theory 
with the management of accident prevention 
programs as applied to corporate organizations 
requires the understanding by all line super- 
visors that most causes of accidents can be 
traced to staff support deficiencies. This in- 
formation about causes and costs becomes a 
valuable management tool for self evaluation 
(upwards) and a means for controlling and 
planning with greater accuracy and efficiency. 


From what has been said here, it should be 
fairly obvious that a safety professional who 
chooses the management direction of accident 
loss prevention must have a broad background 
of managerial expertise and experience beyond 
that of a line manager. The att of management 
is as important to the safety manager as the 
science of engineering is to the safety engi- 
neer. Some knowledge of both is an ideal situa- 
tion. 

Remember, in the field of management, 
interfunctional Interest in safety begins with the 
establishment of common program goals be- 
tween the functional systems. This simply 
means that the safety manager must know what 
the order functional manager is trying to do 
for the organization and then tie safety objec- 
tives to his objectives. For example, it would 
be extremely difficult to obtain management 
interest in problems concerning "falls-of- 
persons" from a personnel officer - or even a 
property officer. On the other hand, tell person- 
nel it has a "training" deficiency that produced 
over 1,000 employee errors resulting in falls, 
or tell a property officer that design failures 
are causing $200,000 of waste annually, need 
any more be said? In each case, the managerial 
weakness is degrading the expected output of 
the system in an area of concern that cannot 
be corrected by the safety manager. 

Others Interested in loss control (error- 
free-performance) will show concern if that 
loss is presented in a way that relates to fail- 
ures in their fuctional missions or to the ability 
to operate and manage for profit. 

you want management's attention to 
safety problems, then speak management's 
language and be sensitive to managerial con- 
cerns. Learn all you can about each function 
and subfunction of your business in the same 
way that an engineer is expected to know about 
machinery he deals with. This will enable you 
to make serious inroads to their decision- 
making process. ABOVE ALL— CONSTRUCT 
YOUR SAFETY SERVICES TO THEIR OR- 
GANIZATIONAL NEEDS NOT TUST TO THE 
REQUIREMENTS OF AN INDIVIDUAL. 

CONSTRUCT AN INTRA-MANAGEMENT 
INFORMATION SYSTEM 

Control is the basic feature to the systems 
theory. You can solve a problem If you don't 
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have the facts about it. This means that a 
safety management information system is 
basic to managerial improvement through 
loss prevention. This communication upward 
through ne levels of management must be 
responsive to managerial needs. Use a com- 
puter to collect and store accident data related 
to management systems. Used correctly, safety 
managers will not have to beg for top manage- 
ment support. Functional managers at all levels 
will seek safety support. 

No system can exist without communication. 
The first task in establishing a report network 
is to develop a source document (accident re- 
port) th3t allows the line manager to Identify 
systems failures. (5) He reports them, as he 
sees them, in a manner that can be put into a 
computer. The computer can be called upon 
to feedback data for periodic analysis in mean- 
ingful terms (English language). This analysis 
with supporting facts is then given to the line 
managers for direct action to staff managers 
for systems improvements. 

CONCLUSION 

In summary, it would be a serious mis- 
take to think that the theory of systems and 
safety applies only to hardware. Engineer- 
ing or technical knowhow is not the prime 
requisite for all safety problems. Expertise 
in safety management requires a basic under- 
standing of human resource management rather 
than scientific understanding of machines. 

To mt.ke the concept operational, safety 
manager* must consider always the social 
benefits of employees— their needs, motiva- 
tions, and asperations more re groups than as 
Individuals. There is a great need for under- 
standing of group behavior and manager re- 
lationships and the safety manager may make 
a real contribution to errorf ree performance by 
the realization of this need. 

"Some loss control programs are now show- 
ing refreshing signs of objectivity'' says Robert 
LeClerg, Assistant Chief, Administrative 


Operations Division, National Oceanic & At- 
mospheric Administration, U.S. Department of 
Commerce, "They share responsibility for 
finding and identifying all accident losses. They 
collect causal data in usable form Instead of 
simply keeping score. They bridge the Com- 
munications gap by addressing dollars and 
manhours lost instead of percentage of rates. 
This momentum is well timed to reinforce the 
new emphasis on "ZEROING-IN" on problems. 
But, before we pull the trigger, let’s examine 
the target. Our purpose must be to give effec- 
tive direction to the control of all accidental 
losses, rot to play one more hand of the same 
tired game". (6) 
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Those friends of George Mandel who are 
wondering why it is that I am here in his place, 
I am happy to report that he is recovering 
nicely from a heart attack. 

On the matter of the Aerospace Safety Re- 
search and Data Institute, about three or four 
years ago, after the Apollo fire, NASA realized 
that its safety organization could use a centei 
where safety information accumulates and is 
validated and interpreted for use by the Aero- 
space Industry. Our group was set up in the 
Cleveland laboratory to serve all of NAS \ and 
the Aerospace Industry. Three years ago I was 
a lone member of this group and t spoke to this 
conference about our hopes. Now I am here to 
report how we have proceeded, what our points 
of view are, and where we stand at this time. 

Let's review for a minute and take a look at 
our objectives. First, to support NASA and its 
contractors with technical information and con- 
sulting or safety problems. To identify areas 
where safety problems exist or where voids in 
technology exist, and to initiate research pro- 
grams both in-house and under contract to fill 
these voids; to prepare state-of-the-art sum- 
maries and other oublications of use in our 
area. The key to all this is to establish and 
operate a safety data bank. 

It is my purpose today to go through this 
quickly to give you an idea of our thinking and 
where we stand. I might add, as an overall re- 
mark, the emphasis we have given in our efforts 
is to keep the user of the information in mind. 
That user isn't necessarily a safety specialist 
as you are, but can be any one of the engineers 
in the total system of engineering support. 
There are decisions being made at all levels. 
Many of our users are competent engineers who 
are being called on to make decisions involving 
technical information for which they have poor 
background. 

In order to maintain contact with the user 
population so that we do a useful job, we stay 
in detailed contact with the entire Industry and 
all institutional centers of NASA where prob- 
lems are apt to arise. We also have member- 
ship on a host of committees. Obviously the 
space shuttle is prime to NASA's interest at 
this time and I might add that in setting up this 
data bank we try our best to do the work in 
those areas of immediate interest to NASA and 
then broaden our' interest as time allows. Space 
Shuttle is being controlled at this stage by a 


variety of committees within NASA and we have 
panel membership on each of these committees. 
We worry about cryogenics and low tempera- 
tures systems because we deal a great deal in 
propellants which are liquified gases, and we 
have membership in the Compressed Gas 
Association where much of this work is done. 
I won't derail all of these things but point out 
that in addition to all else we deal with assorted 
NASA committees dealing with space-borne 
radioactive materials. If you are wondering how 
it is that NASA deals in radioactive materials 
for space, I will remind you that the largest 
space station which will orbit the earth will 
cair ; electric producing systems which will 
not use the sun as a source of heat but either 
a nuclear reactor or radioisotopes. This is a 
real concern to us at this time. The final com- 
mittee we serve on is NASA's Spacecraft Fire 
Hazard Steering Committee which I chair. This 
grew out 01 NASA'* concern for fire problems 
on spacecraft, particularly manned spacecraft. 

The question is. What is Safety Information? 
We had to ask ourselves, we are going to collect 
information, but what? What is it? Is it that 
body of information that has a safety label at- 
tached to it in someway? Well yes, it is that. 
But is it something else as well? Here is what 
we feel constitutes the boundaries of safety in- 
formation and I am sure this is an Inadequate 
detail of these boundaries. First, safety infor- 
mation is a body oi technical matter drawn to- 
gether from various disciplines in support of a 
safety problem. This information is often in- 
distinguishable from engineering, scientific or 
medical information. In a sense, what we are 
saying is this, that safety information can be 
drawn from any part of the technical and scien- 
tific literature and we have to be prepared to do 
njst that. Safety information is also information 
on hazard management techniques, and where 
eqi lpment is involved, the associated equip- 
ment. It deals in failure advisories, accidents, 
reports, and then the legal aspects of safety, 
codes and standards. 

Now, where we are dealing with a user- 
oriented system, the user generally comes to a 
safety problem with certain categories of ques- 
tions in his m. id. He would like for example 
to recognize when hazards exist, and under- 
stand how he can detect the build-up of a haz- 
ardous condition. And so we like to organize 
our information that way. Or he would like to 
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understand how to reduce the probability of a 
failure or an accident. So we organize our in- 
formation this way as well. He would like to be 
able to assess the consequences of a failure. 
Oddly enough, when we look at the literature 
for assessing the consequences of a failure we 
don't go to the safety literature, we go to the 
anti-safety literature. We look to the demolition 
expert and say, "what do you know about what 
would happen if we had an explosion". He would 
like to be able to reduce the consequences of a 
failure and he would like to have the informa- 
tion so structured that when he comes with this 
question in mind he can find that kind of infor- 
mation. 

Then there are certain scientific and engi- 
neering fundamentals he has to have in order to 
apply what information exists. We feel that here 
is a kep weakness in the communication of safety 
literature, information from the literature, and 
that is the interpretation of what the literature 
tells you. We feel that in many areas, we, the 
Aerospace Safety Research and Data Institute, 
shall have to prepare documents which show 
how the existing information in the literature 
is interpreted in terms of real problems. We 
haven't begun this process yet except in a very 
limited way. It is a difficult thing to do, but I 
think it is a vital step. And we also, since the 
legal aspects of safety are so important, have 
to make our engineer who is dabbling in a safety 
problem aware that there are certain legal 
aspects to the safety problem. 

When we took a look at the existing informa- 
tion In safety and decided to create a safety 
data bank, we were first faced with what shall 
go in the bank? We are proposing to have a 
largely computerized bank and the first thing 
that hit me forcibly in this whole business was 
the fact that if you usp a computer as a L>ank, as 
a place in which to store information, you dis- 
cover how enormously, enormously costly it 
is to do a proper job of putting information into 
a computer. We said we have to be careful what 
goes in, not only from the standpoint of cost, 
but from the standpoint of credibility. Can the 
people get information out of our system and 
depend on it? They are surely going to use this 
as an authority for the actions they take and if 
we give them ihe wrong information or poor in- 
formation, it is our responsibility. Also, we 
looked at the quality of safety information. Most 
of you are old pros at this and I think you'll 


want to disagree with what I am going to say 
next. 

In the safety information that we reviewed, 
we often found that important portions of the 
safety information are misapplied laboratory 
data. Data that was gathered not with a safety 
problem in mind but 3 imply a study of a disci- 
pline, and somebody is using that information 
improperly in a safety document. Safety reports 
often deal in opinions masquerading as fact 
and this is all too often the case. I think many 
of you understand this. A large body of litera- 
ture exists in some fields and little or none in 
others, and sharply focused information is dif- 
ficult to find for both reasons. There are times 
when you query an information system about a 
certain aspect of a safety problem, you get 
snowed with 2,000 documents. That is as good 
as giving you nothing unless you have enough 
discretion in the field and are inquiring enough 
to pick that which is useful from that which 
isn't. 

Much of the literature contains incremental 
contributions and a large mass of reports must 
be reviewed for answers to the safety questions. 
This tells us that somewhere in our system we 
have to boil down the information into review 
and summary reports and let that be the input 
to our system and cut out the chaff of a large 
number of incremental reports. And too, a point 
I alluded on before, information is couched in 
scientific terms which are unfamiliar to engi- 
neers. In other words, the information isn’t 
user- oriented. If you want to touch on this at 
all, give an engineer a man-machine problem, 
the business of integrating man into a machine 
system, and let him look at the data the 
psychologists put out and try to make some 
sense of it for himself. I'm not saying that 
psychologist's data is no good, but the psy- 
chologist's data is so couched in jargon that 
the engineer is hopefully confused, > 

The preset : retrieval systems often lose the 
relevant information and cite many irrelevant 
references. When this happens, obviously there 
is a degradation in the service being provided. 

Here is what we said the components of a 
safety data bank system ought to be. 

First, we should use a computer, should be 
document references. These should have an 
appropriate abstract so that the person looking 
at a document reference doesn't have to go by 
the title. Authors of reports are notoriously 
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poor in titling their own reports so we prefer 
to have an abstract which helps a little. In the 
work which we are going to be doing, which we 
ask people to review literature in specialized 
fields, we ask the reviewer who is an expert in 
the field to write his own abstract in addition to 
the author's abstract, if he thinks the author's 
abstract is misleading. Computer information 
should have references to other repositories 
that specialize in information, and I want to 
bring up the point that we don't think we are the 
only safety data bank in existence. We know 
there are many. We hope to be complementary 
with them; not to overlap them, and in no case 
to totally absorb them unless it's worthwhile to 
do that. We do have to know where the other in- 
formation resides and to have the computer 
point it out as an answer to a query on informa- 
tion requests. It has to be able to store sys- 
tematic accumulations of safety data and what 
I mean by systematic accumulations is this. 
Much of the information that a safety engineer, 
or person involved with safety problems needs 
| to use, have never been published. It has been 
| garnered from research, completed in private 
| places and these are available to us as curve and 
[ graphs e tc . plots, formulas — we have to be able 
1 to include that in our system so these come out. 
We can't rely entirely on documents. We then 
need a list of specialists in safety and safety- 
related fields and this goes back to our role of 
consulting. We ourselves don't feel that we are 

( capable in every field to give consulting. This 
would be ridiculous for a group of about 16 
technical people, and we couldn’t hope to cover 
all fields. What we hope to do in providing con- 
sultation is to find an appropriate person some- 
where who can serve that role, but we can't. 
We don't Intend to supplement the standard 
! reference library with on- shelf references. 
There is no sense in sticking the normal ma- 
terials of a good library in a computer. That's 
on the shelf and the standard library techniques 
work very well. We hope to microfilm all the 
information that is referred to in our computer- 
stored information so that if the person wants 
the reference we can slip him microfilm. We 
next hope to set up a Safety Information Analy- 
sis Center for consolidating this act of boiling 
things down and having only a few, reports in 
the place of many; validating, in other words 
getting rid of the junk that isn't correct; and 
| updating, getting rid of old stuff and making 


sure you're getting the latest in safety infor- 
mation and then prepare safety reports and 
advisories, much of which would be done 
under contract. 

Now where are we In this matter of estab- 
lishing the bank? First, our basic computer 
components have been acquired for the Lewis 
Center and they are being up-graded which 
makes me unfortunately say to you that we 
can't give you red-hot service quite yet because 
this up-grading step makes the computer un- 
available to us for long periods of time. We 
have now completed the computer programming 
to give us a very flexible storage and retrieval 
system for information. First of all we give 
random access to documents and data citations 
in the computer storage, in other words very 
speedy retrieval. We can reach into any part 
of this storage immediately and pull out the 
reference without having to spin all tapes 
through a monitor to pick up the information 
we are looking for. This reaches in and pulls 
it out In a fraction of a second. We can fix the 
retrieval of information by author, by content, 
in which we use an elaborate system of key 
words so that you can get sharply focused in- 
formation, by document origin and number, and 
I might add by the contractor or other Agency 
that did the work, by the program name that 
created the work and so on. There are many 
ways In which we can find documents under this 
system. We believe in continuous key-word 
Thesaurus development. These key words are 
the descriptives that describe the contents of a 
document. We know that as documents appear, 
any fixed Thesaurus will not cover the contents 
of an evergrowing field, and so the Thesaurus 
that we are developing can continue to grow 
with the literature as it comes in and we can 
always have an up-dated Thesaurus. When a 
searcher comes to the computer and says I want 
to find something, what word shall I use. fhe 
computer gives him the very latest list of 
words. The system is very flexible in that if we 
feel that having enlarged the Thesaurus and the 
descriptive terms that we allowed ourselves to 
use, we did. an Inadequate job of the existing 
citations in our files, we can go through and 
change the key words attached to that citation. 
In the end we hope to be free of any business 
of a Thesaurus and use free language for char- 
acterizing citations. In other words you have a 
freedom from the constraint of using 
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specialized terms. This is one 01 • :& diffi- 
culties of finding information in a computerized 
system. The systems, if they are limited to a 
Thesaurus, have a rather strange number of 
constraints. 

Let me give you an example of this: Suppose 
you were interested in cats. And in particular, 
since you are domesticated, you want a do- 
mesticated cat, you want a house cat and you 
want information on house cats. There are 
some retrieval systems that would say, "Okay, 
you can use the word house and you can use 
the word cat. Because the C in cat comes 
before H in house it will go into the computer 
with the word with the C first so it goes into 
the computer, not as house cat but as cat 
house. Now who would think of looking for 
house cats under that. You can do a lot of 
games with this of course. Try Venetian blinds 
for example. This is true, some systems are 
this way and give the searcher quite a game 
to play to try to find the information that 
exists. We hope to break this block. 

We will include a file of document abstracts 
and reviewers comments in which the re- 
viewer will say the report is pretty good for 
this area of work but don’t believe the title, 
it just doesn't have very much information 
in another area or, this is old stuff and it's 
wrong in this respect. We hope the reviewers 
comments will be tagged to most of these 
citations. As I said before, we would have a 
method for accumulating incremental data in 
terms of tables and formulas etc. and also 
the computer has devised within it a means 
for assisting the searcher in going through 
the strategy of the search. It keeps assisting 
him with clues and if he doesn't know what to 
do next, he asks the computer, "What next?" 
and the computer tells him. 

Here is a view of what we are trying to do 
now. First of all we find that there are some 
excellent safety information files. Many of 
them are computerized, some are not, many 
of them have this so-called interactive— let 
me say it this way— we are more or less 
unique in having this easy interactive scheme 
of search and retrieval that many do not and 
where it's justified to absorb a given file or 
information on safety so we can have this nice 
access with our computer, we do this.' In 
particular, an excellent file of safety infor- 
mation, which has already been put into our 


system is a file of about 35-36,000 documents 
in the nuclear safety field. The files of the 
Cryogenic Engineering Center and the National 
Bureau of Standards has already been placed 
into our system. The FAA Aviation Safety 
files, we are negotiating on. Recall we said 
that a complete information system would 
also include component failure rate files and 
here is the key word— IDEP— it is an infor- 
mation exchange program amongst the various 
segments of the Government. It deals with 
failure rates in the testing of components for 
aerospace devices— airplanes, spacecraft. By 
putting this file, which exists on paper, into 
our computer we can maintain an up-to-date 
record of all failure rate studies going on, 
that have gone in the past and those which 
are current. This will keep some branch of 
the Government from repeating a failure rate 
study on a piece of equipment which is already 
in progress hy another Agency. You’ll see a 
sample of the kind of print out this system 
gives. 

Within NASA, following the 204 fire four 
years ago and then the Apollo 13 accident, 
both involving oxygen, and other oxygen acci- 
dents within NASA, we undertook a complicated 
and rather involved study of material compati- 
bility with oxygen. This file is going into our 
computer so that one can find information more 
readily than the turning of pages in a book, 
which becomes very difficult. 

Here is some safety information that we 
are asking others to gather with our support 
and our help. Oxygen System Safety, this 
grows out of the Apollo 13 accident, in which 
we are collecting meaningful literature and 
data and then we are collecting the practices 
of others in design and operation of oxygen 
systems. We are trying to put together the 
tire technology as it applies largely to space- 
craft and aircraft and ground test facilities in 
support of development of either of these. 
The National Bureau of Standards has a con- 
tract with us to do this. They have a fire 
safety technology group who are charged by 
Congress to conduct work in this area. This 
portion of it is a cooperative effort with NASA 
now. 

Human Factors, with emphasis on flight 
vehicles and especially the space shuttle. This 
study is going forward under the guidance of 
the Human Factors people at our Ames 


45 



laboratory in California and it is to be a major 
effort. This Nuclear Isotope safety I mentioned 
earlier has to do with on-board nuclear mate- 
rials. The business of non-destructive testing 
and diagnostic techniques with structures on 
machines safety codes and operating practices 
for aircraft, fracture mechanics data for 
structural alloys with special emphasis on low 
temperature applications of metals and let me 
cue you in here. NASA has found that every 
time it took on the use of a high strength 
material, particularly those which retain their 
high strength at low temperature, it found it 
had problems in fracture mechanics — the two 
ran together. When you try to grab the ad- 
vantage of a red-hot material that had a high 
strength to weight ratio and good toughness 
at low temperatures particularly it had a 
fracture mechanic problem. The thing wanted 
to crack easily, which appears to be a con- 
tradiction of terms, but this is the way it works. 
Mathematical techniques in safety analysis, 
that is only beginning for us. 

In an effort to organize our information so 
that the user can find his problem, we did this. 
We said, the user comes with certain questions 
In mind, very often he is concerned with the 
causes for failure in his systems and we are 
taking as our illustration this cryogenics fluid 
safety grid and a means for characterizing the 
Information that exists in a given area and in 
this area on cryogenic fluid safety, what are 
the causes of failure? and we say the causes 
of failure under what conditions. When you are 
transporting, where you are storing, when you 
are handling the fluids in systems. These are 
the blocks which represents an Intersection 
between this term, transportation storage or 
system handling, and failure causes. Each of 
these blocks constitutes a range of problems 
of interest and these then are the categories 
we create, this range of problems of interest, 
and place them in this chart so that a person 
with this problem on bis mind under these 
conditions sees what has been done here. Not 
only do we do this but all these words that are 
descriptive terms for describing the literature 
that exists in this area will appear in this 
block. That was a simplified view of things— I 
think you can read the rest and appreciate its 
relevance to some of the remarks I made 
before. This is a simplified view only for our 
purposes here. If I wer, to show you a true 


chart, the one that developed for the fire 
problem, I think you can appreciate that it is 
a fairly involved chart. The hope that is on 
perusal by the user, the person who has a 
problem in mind and then comes to our sys- 
tem and says where can ! find information 
and we give him this, he gets a first clue into 
how to interrogate the system to find his in- 
formation. What words does he use to the 
computer to say give me information along 
these lines and the computer will begin to 
formulate a form. 

This chart is also used by the people who 
input the information into the system and any 
key words that they develop to describe the 
contents of the documents they review go into 
those blocks so that the user, the guy search- 
ing sees the words that the inputter created 
to describe the information that exists there. 

With regard to the IDEP record, this is 
the business of putting into the computer a 
record of the failure rates for equipment under 
test. The purpose of our computer handling of 
this is to tell a searcher where he finds the 
record on the piece of equipment he is con- 
cerned for. The address, because the IDEP 
system provides microfilms of all tests and 
there is where the information he wants re- 
sides. The question is, where is it. In all of 
the tapes that exist, all of the microfilms, in 
other words, he is looking for this address, 
the microfilm address code number. Once he 
gets that code number, he knows how to spin 
his microfilm to find out where the inform- 
mation exists. Now he can find the component 
he is interested in in a variety of ways. He 
knows the accession number, (I won't try to 
describe these terms in two much detail, I 
don't have time) the manufacturer, say the 
company, of the equipment, the date it was 
made or the date of the test, or the govern- 
ment part number or a description of the part. 
May be it is a relay, the contact rating in this 
area etc. He feeds this to the machine. The 
machine then prints out a page that looks like 
this and he can check and see whether this is 
truly the piece he wants, and is tills the cor- 
rect part number if he has the part number of 
the Vendor's part and so he says. Yes that is 
the right one and he knows where to search In 
the microfilm. 

From time to time NASA puts out alerts 
on parts and this we hope to have in the 
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machine and the key issue here on the alert, 
not worrying about anything else is this, that 
people have in the machine a system of alert. 
If somebody is concerned about what the latest 
alerts are, he simply queries the computer 
from a remote station, a console remote from 
our system, by telephone lines and asks what 
is the latest alert. He gets a statement which 
says failure analysis conforms something 
about a part and the trouble with the seal, etc. 
and he can identify what the alert is tiying to 
tell him. 

With regard to other data centers, we have 
identified about 150 data centers which we 
think are useful in our business. There are 
probably more. We hope to have them within 
our computer and we ask for certain infor- 
mation and say what data centers would have 
information on particular things. The computer 
would print give a print out: which would give 
them the name of the information center, say 
Electronics Properties Information Center, 
and then what do they cover in that center. If 
you are concerned for liquid metals and 
hazards associated with these, this is the 
kind of coverage the liquid metals informa- 
tion center would give you. Not only do you 
get this, you get information ori first, the 
name of the Center, where it is, how you get 
information from them, do you call them up, 
do you send them a letter, do you have a fee 
to pay, etc. We hope that our Information 
Center will be one of a network. There are 
many good ones that have capabilities like 
ours and we hope that we can tuck them all 
together in one network so that when you 
query the system you query everybodies data 


base. We are trying to make our system 
consistent with this point of view. If you want 
to be part of this system and you want to query 
the information that we have, do you have to 
call us. I hope not. We would be available for 
any calls or for any letters in inquiry. What 
do you have on some kind of problem but we 
hope that those who are principal users of 
safety information will have their own console 
substations which are reasonably cheap. A 
$5,000 or $6,000 investment gives you such a 
station. With this tie in, you dial the telephone, 
FTS or any other voice communication line 
will put in communication with our computer 
and gives you the opportunity to access it for 
information only. This doesn’t give you the 
opportunity to change the contents, only to get 
the contents out. 

It is made of three major components. 
First a TV screen on which the print-out of 
the computer is placed and gives you all the 
information regarding the document you are 
looking for; a keyboard for instructing the 
computer on what you want next; and if you 
see something on the TV screen that you like 
and want to preserve after making a search, 
you hit a button on the keyboard and a print- 
out, permanent record hard copy appears here. 
These are the three components. For an in- 
vestment of $5,000 to $6,000, you get them all. 

We hope that when our system is rich 
enough to justify others having remote stations. 
Our hope is that we can handle many queries, 
40 people on the line simultaneously. 

That then concludes my description of the 
work we are doing. 

Thank you. 
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HOW SAFE IS SAFE? 

The question "How safe is safe?" will be 
frequently directed to those who work at pre- 
venting accidents. The question will often take 
these forms: How far do we have to go with 
these precautions? how much money or effort 
shall we spend ;:o prevent accidents? do we 
need "redundancy," "back-up," "guards," 
"fail-safe," "emergency procedures," "more 
training?" if we provide backup for an opera- 
tion, shall we backup the backup? If we do, 
how much safer is it? If we spend money to 
reduce the hazards all the way, is it worth it? 
Is the benefit worth the risk? This last ques- 
tion has become a most serious one for busi- 
ness men today in the light of increasing 
awareness of the public and attending claims 
consciousness. While still not taken as a 
national policy, it is becoming more and more 
recognized that "accidents can be prevented," 
And so— how much prevention? 

We safety managers have a notion that we 
know what is safe. No doubt! Experience 
teaches us to know better than some others 
what is safer , and only perhaps what is unsafe. 
But "safe" and "unsafe" are general, abstract, 
unquantified, relative terms. Here-to-fore we 
have been successful only to the extent that 
we have given more attention to eliminating 
or controlling conditions from which accidents 
can arise which are discernible to a trained 
eye. 

The unconscious desire of specialists is 
to prevent change in their specialty— (A quot- 
able quote from one of the cases)— "To a 
specialist "change" means unlearning a sec- 
tion of knowledge, a painful process!" 

With the development of additional attention 
and emphasis on safety and the greater urgency 
technologically, socially and politically, we are 
refining the search to prevent accidents with 
the more diligent application of engineering 
methods and the stricter use of logic and of 
computer selected information. Thus con- 
ditions that were formally called "accident 
causes," are found out or discovered, and 
anticipated, and the potential for loss elimi- 
nated, controlled, or otherwise negated. We 
find that many so-called accident causes were 
not unforeseeable and unpredictable! We didn't 
search with sufficient diligence! Thus system 
safety analyses become, not panaceas, but only 


aids to anticipating what was formerly unantici- 
pated. The probabilities have been qualified 
and quantified. The result of these efforts per- 
mitted us to send men to the moon and bring 
them back safely. They can be used in many 
other applications with similar success. 

THE ANSWER IS LAW 

But this search still does not answer the 
question fully — how safe is safe? It only tells 
us that asking "what if?" often enough and pro- 
viding the answers ..ill make our hardware, 
process or management safer . In fact, to be 
able to go all the way, will require more than 
human clairvoyance. I submit that in any given 
situation the question of whether this process 
has been followed to an adequate degree will 
usually be explored in a court of law. 

Safety is a state of being free from or the 
absence of danger. Danger is a positive „ jrd 
and means that there is a potential for harm or 
loss. (Incidentially, the word for "safe" in 
Russian is the equivalent in English of "danger" 
(oposnosti) plus the prefix "without" (bez) which 
makes it "safe" i.e., without danger.) Harm is 
damage or hurt. And, unless the hurt is tc the 
perpetrator himself, there can be a claim for 
negligence. When negligence is alleged in a 
court action to be the cause of the damage, we 
are all set for a determination of "how safe is 
safe" because the law will want to know among 
other things "How diligently did the responsible 
person look for the causes of harm and what 
did he do about them." 

Throughout the cases of negligence, defini- 
tions and court determinations are generally 
consistent. In general "negligence is an act or 
omission in violation of duty to exercise 
ordinary care by reason of which injury to 
person or property occurs."* 

Courts always imply that the negligence or 
failure to do or not do was what a reasonable 
or prudent person would do or would not do 
under the circumstances. 

PRUDENT PERSONS WILL ANALYSE 

It is my purpose to advance the idea that in 
some circumstances "what a reasonable or 
prudent person would have done under similar 

•Sec. 32, 38 AM, Jura, P643. 
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circumstances” will be to make a systems 
analysis. So far I have been unable to find ad- 
judicated cases where this has happened, though 
I’ve been told it has. 

If there are any, they are rare, so far. How- 
ever, one does not have to stretch the imagina- 
tion to realize that under many circumstances, 
now developing in products safety, technical 
operations, complex machinery, aircraft, pol- 
lution and other modern situations, negligence 
will consist "in” not having looked as sys- 
tematically as cne could have. ’’The policy 
of the law has relegated the determination of 
such questions to the jury (i.e., was he a 
reasonably prudent man?), under proper in- 
struction from the court." When products and 
processes become too complex for a jury to 
understand or too technical for a judge to com- 
prehend, some other means than rhetoric may 
be needed. What is "ordinary care" may be 
quite difficult to explain. The search for negli- 
gence has already been extended all the way 
back to defects in design. Such cases put a 
strain on laymen and technical terms before 
the judge. What better way in a technical situa- 
tion to demonstrate to a jury how diligently one 
has sought out and eliminated those circum- 
stances which could cause actionable harm or 
loss? Particularly is this so when the ex- 
pression "the analysis applies throughout the 
life cycle of the system" is honestly applied. 

From a case in the books~"A reasonably 
prudent man will neither neglect what he can 
foresee nor waste his anxiety on events rhat 
are barely possible. . ." [What is barely pos- 
sible has only been occasionally quantified in 
legal thinking. Not so, in a system analyses. 
In some analyses, the "barely possible" is 
actually put into numbered probabilities.] Con- 
tinuing the quotation— "but he, the reasonable 
man, will order his precautions by the meas- 
ure of what aopears likely in the known course 
of things, whether the particular act or acts 
charged in the petition were performed or 
omitted and whether the performance or omis- 
sion of some of them was a breach of legal 
duty."* 

This, in legal terms, describes what one 
does in a logic analysis! 

Having made an analysis the step by step 
documentation required in practically every 

•Sec. 38-28 Am Jui». P645 


Safety Analysis Report, Operations Readiness 
Review, Fault Tree Analysis, Failure Mode 
and Effects Analysis, etc., provides recorded 
proof that one was diligent, not negligent. 

The day may be here already, considering 
the advances in technical knowledge and tech- 
niques for retrieval of hazard information and 
accident experience, that a man or person 
(corporation) may be considered negligent if he 
has not used a system analysis inthedegisn of 
a product to offer to the public. 

If this theory is to be of value, the question 
of admissibility of such proof will have to be 
considered. This will be touched later. 

THE LAW CHANGES 

Argument for use of system safety tech- 
niques as a. legal instrument is supported by 
several considerations. These techniques are 
certainly new tools. They have accompanied 
the growth of recent technologies—atomic 
energy, aircraft, space. But law and lawyers 
use new tools, too. The needs of a changing 
society will be reflected in the decisions in 
the courts. This growth and change in the law 
is most interestingly dealt with in a book titled 
"How High is Up" by Loth & Ernst.* They 
trace, in some of those fields, the manner in 
which law has adapted itself to modern new 
problems beginning with the legal concept 
"caveat emptor" i.e., "buyer beware." They 
show how this concept was changed in a few 
years, bv reason of the "Cardozo Revolution," 
to a 180° attitude and is now "caveat vendor", 
(seller beware). 

They, Loth 81 Ernst, show that concepts of 
liability in aviation brought about vast changes 
Li the law regarding ownership of land and air, 
and the effects on the posture of society in re- 
spect :o noise, vibration, comfort, right of way, 
personal injury. 

In McPherson v. Buick, 1916 Judge Cardozo 
said, "on the basis that science perfected pre- 
viously undreamed of safeguards against inani- 
mate objects and also much more damaging 
objects the vendor has a responsibility and a 
liability if he was placing a dangerous object 
on the market." Later interpretations placed 
liability on aircraft manufacturers, based on 
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the lack of reasonable care in the design and 
control of quality. I_dare to predict that the law 
will recognize and use, logic techniques, tech- 
nological advances in the storage of accident 
information, system safety analyses, the tests 
and measurements and requirements for docu- 
mentation that the space industry has de- 
veloped. 

It is not unreasonable to expect that in the 
field of negligence, warranty, breach of con- 
tract and rules of evidence, the law will adapt 
to more systematic assistance in seeking out 
the truth in appropriate cases, by the very 
means used to assure safe hardware. 

AS EVIDENCE 

The books say "Proof which is addressed 
directly to the sense of the court or jury with- 
out interposing the testimony of witnesses — is 
the most convincing " The presentation of 
charts, diagrams or tables which makeup the 
analysis would, no doubt require the engineer 
or persons qualified to be present. Diagrams 
or charts showing the basic assumptions of 
steps and stating the manner in which a sys- 
tem safety analysis was made and the controls 
which were applied will probably be allowed as 
evidence. The witnesses would be requires to 
be authenticated by the presiding judge. 

Let us look at another aspect of system 
safety and evidence. How well would the docu- 
mentation requited a system safety analysis 
serve the lawyers? 

"In general where a map, or a drawing is 
offered as embodying in itself, the knowledge 
of the witness to which he, in this form deposes, 
the verifying witness must be shown to have 
personal knowledge of the facts so as to qualify 
him to testify to their correct representa- 
tions. . ." It is my feeling that the step-by- 
step documentation not only provides the wit- 
ness with a most potent method of recall, but 
it also demonstrates that nothing within the 
power of the Intellect has been overlooked in 
the search for safety, and that there was dili- 
gence. 

TESTS 

"The courts, though they do not favor ex- 
periments and tests by the jury itself, now very 
generally permit relevant experiments, dem- 


onstrations or tests by others in court or per- 
mit evidence of experiments performed out of 
court. . ." This would seem to say that tests 
made as part of a hazards analyses, where the 
probability (or improbability) of failure is to be 
demonstrated, would surely be admissible. 
Similarly, tests which frequently became part 
of a system analysis will probably be admis- 
sible. 

RISK VERSUS BENEFIT 

The queries "What is safe?" or "How un- 
safe is unsafe?" are also tied into the con- 
struction which may be put on the concept of 
"benefit versus risk." 

Ernst in "How High is Up" says "So law 
must always strike a balance between risk and 
recklessness." He mentioned this (he said) 
because it struck him as exceptionally plain in 
considering atomic energy." But use of atomic 
energy is not the only situation where this ques- 
tion is being posed. We see it frequently, for 
instance, with respect to environmental pollu- 
tion, now considered as a great risk. Here it 
would seem that the law, when faced with this 
dilemma, risk vs benefit, will be greatly aided 
when the engineer or scientist applies his in- 
formed logic before hand, in respect to what 
the risk is, that is to be balanced. So it is pos- 
sible that the precise quantification of hazards 
by technical analysis may more clearly help to 
determine the values of risk and benefit for the 
law as well as for the engineer. 

ACCIDENTS FEED THE LAW 

In the field of atomic energy there have been 
relatively few successful litigated claims for 
damage. In fact, few accidents. I can speak here 
with some knowledge, since I wrote the first 
complete repertoire of all accidents involving 
nuclear energy, which is now an Atomic 
Energy Commission biannual report. At the 
time there was no collected history, and I was 
somewhat surprised that the report sold over 
7,000 copies at the Government Printing Office. 
The whole application of a new energy source 
and its integration into society is an instance 
where the lack of accidents, due to the rigid 
requirements written into the law relating to 
Its use, the extreme caution exercised in the 
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manufacture and control of these hazardous 
materials and tne experience with other kinds 
of energv deprived the courts of prccendenton 
wnlch to base decisions. (This further supports 
the thesis tint until there is loss or damage we 
have no measure of what is safe or unsafe.) It 
will be Interesting in the future as to what 
weight will bt given by the courts to the ex- 
treme care exercised in the control of this 
hazard including the Safety Analysis Review 
system of analysis. 

When accidents do not occur, both plantiff 
and defendent arc '.eft without a good measure 
of the relationship of benefit and risk. For the 
question of excessive risk is going to depend 
on what the courts decide ?s excessive, that is, 
whether the controls were or w^re not what a 
reasonable man would have done — and whether 
even so, the public benefit prevails. 

STRICT LIABILITY 

In certain situations a product or process 
is held to be hazardous without further proof 
to the contrary. This raises a speculation. In 
the doctrine of strict or absolute liability the 
person who puts a hazardous product on the 
market without performing certain actions such 
as warnings and specific instruction to the 
buyer will be considered negligent per se. How- 
ever, it would seem the absolute liability might 
someday be successfully fought off and the 
trend turned, shifting the liability back from 
the vendor and giving him a chance to plead 
benefit to the public and the absence of uneval- 
uated hazard. Thr law makes Its changes in 
small steps. The application of new methods of 
engineering analysis are also steps usually in 
the dlrecdon of greater precision and sounder 
logic and safety. Perhaps these technical steps 
toward greater perfecdon will be the occasion 
for new legal approaches. It may be possible to 
avoid throwing up one's hands and saying " This 
machine is too dangerous to allow man to use 
it." It was only a few years ago that the pos- 
sibility of atomic energy for power was ab- 
hored— today the-e are many nuclear power 
plants on the line in spite of the fears of the 
public and the experience is good. 

When I became Interested in the relationship 
between system safety analyses and the law, I 
had not looked at a law book in many years. 
Consequendy, changes were very apparent to 


me, and the possibilities of changing from 
absolute liability back to a defensive position 
oy reason of an engineering procedure that 
looks at, identifies and eliminates hazards 
would seem quite real. "There are few con- 
stants in the law but continued change. . 

Given a hypothesis or doctrine of strict 
liability there must also be a corrollary chat 
says "you may do something or offer a product 
in the first place." That is, you are not pro- 
hibited to do so, but if you do so, the law says 
you must be prepared tr. be liable for it. In 
ocher words ycu are deprived of defenses 
normally available as to being a reasonable 
man. I submit again, subject to argument of 
course, that here is an ideal situation for use 
of logical analysis of risk. By using (and per- 
hnos by usage) a system safety analyses will 
allow you and the court to arrive at a more 
precise idea of the true hazard, correct and 
control them and provide proof that the pre- 
vious strict liability is not to be assumed. 

APPLIED TO THE ENVIRONMENT 

The National Env'ronmental Policy Act of 
1969, P.L. 91-190, 1970 impeaes requirements 
on all Government agencies to interpret and 
administer their policies, regulations and put- 
lie laws in accordance with the policies set 
forth in the Act. Those policies relate to con- 
servation and use cf the environment, and 
assuring sale, healthy, productive, esthetic and 
culturally pleasing surroundings, and other 
purposes. These requirements will fall on in- 
dustry to an increasing degree. 

To accomplish these purposes the Congress 
states under Sec. 102 of the Act that the 
agencies shall — 

"(A) utilize a systematic, interdisciplinary 
approach which will insure the integrated use of 
the natural and social sciences and the environ- 
mental design arts in planning and in decision 
making which may have an Impact on man's 
environment; 

(B) identify and develop methods and pro- 
cedures, in consultation with the Council on 
Environmental Quality established by Title 1 
of this Act, which will insure that presently 
unquantified environmental amenities and 
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values may be given appropriate consideration 
in decision making along with economic and 
technical considerations; 

(C) include in every recommendation or 
report or; proposals for legislation and other 
major Federal actions significantly affecting 
the quality of the human environment, a de- 
tailed statement by the responsible official 
on — 

(i) the environmental impact of the pro- 
posed action, 

(ii) any adverse environmental effects 
which cannot be avoided should the proposal 
be implemented, 

(ill) alternatives to the proposed action, 

(iv) the relationship between local 
short-term uses of man's environment and 
the maintenance and enhancement of long- 
term productivity, and 

(v) any Irreversible and Irretrievable 
commitments of resources which should 
be involved in the proposed action should 
it be implemented." 

It is the five specifics under (C) that de- 
serve our attention when pursuing the subject 
of the title of this paper. 

As written, those requirements paraphrase 
quite suitably the basis fora systems analysis. 
The objective of a systems safety ana lysis is to 
avoid an undeslred event, in this case one 
which will pollute the environment. In a systems 
analysis of a piece of hardware this event is 
equivalent to a failure resulting in damage or 
loss of a mission. 

The methods available such as Fault Tree, 
FM & Effects, Gross Hazards Analysis could 
be used to Identify the events which will bring 
the pollution about. 

The selection of . callable alternatives to 
the proposed action as required in this law will 
become possible when, in the analysis they are 
pin pointed. 


The commonly used term in the analyses of 
space systems i9 "trade off." It accurately de- 
scribed item (IV) relationship above. 

And finally item (V) is a statement of the 
residual hazards and the requirement on which 
management decisions must be made. 

The usual hard requirement in a system 
analysis is that each step is documented, and 
that the whole analysis pro/ides for sound 
management decisions. 

The administration of the requiret..ents of 
the Environmental Act place an added burden 
on almost every project cr activity of any im- 
portance and — ir would seem that system analy- 
sis would provide a simple at a effe ctive pro- 
cedure to assure that a given project meet , t;ie 
Intent of the law. 

Summary 

The tinal answer to th: question of safeness 
is stated by the courts. W":at is "safe" changes 
with experience. 

As technology advances new tools are de- 
veloped. The new system safety analyses 
(methods) are such tools. 

The law and lawyers use new tools. 

The needs of society will be reflected in 
decisions of the courts. 

These decisions change the law step by 

o f ep. 

It is not unreasonable to expect that the If v 
eventually adapts its decisions as to what is 
is not safe to the real world, and better engi- 
neering analyses will be defense against liabil- 
ity all the way back to design. 

If, in the real world we find system analyses 
useful, so also will the courts, and they can 
find them so in negligence, warranty, breach 
of contracts, evidence. 
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QUESTIONS AND ANSWERS 


DR. CLARK: I am interested in the problem 
of liability of the vendor from the last speaker. 
On what basis do you say, at the present time, 
that this is the situation, when you notice that 
the percent of defective sales that are going to 
qualify a builder for settlement, are less than 
1%? The National Commission on Product 
Safety has identified .05% as the typical quality 
reliability insurance plus settlement costs. 

MR. HAYES: I don't think 1 quite under- 
stand your question— or did 1 just hear the first 
part of it. 

DR. CLARK: Why do you sav it is up to the 
vendor today, that the manufacturer is taking 
the responsibility for Ps product? 

MR. HAYES: ItL-kyou -ill find that those 
cases that have resuired in very large settle- 
ments and wl re he cases are completely 
litigatt.'’, (i.e. not settled out of court), that the 
responsibility in many cases today ends up on 
the vendor. 

DR. CLARK: This is a very small percent 
of sales! The real responsibility remains on 
the buyer. 

MR. HAYES: All right, I buy that but we are 
talking n out litigated cases. Many airplane 
-ses e .J up in placing the negligence i the 
''-’tgner of the airplane. This is becoming more 
«uiJ more frequent. It is my pc^nt, that adequacy 
of design is important now in law suits and the 
courts look at how the manufacturer designed 
the product to determine whether or not the 
manufacturer is liable when it is involved in an 
accident. 

DR. CLARK: We were very impressed in 
the National Commission on Product Safety with 
what a small percent of the product failures end 
up in liability suits. Most of these things of 
course get settled out of court, but it is a very 
small percent that ends up as the manufac- 
turer's responsibility. 

MR. HAYES: Yes, but I think if those prod- 
ucts happened to be pressure cookers or ocher 
hazardous devices or vehicles that get into the 
public's hands and create the accidents, I think 
you will find a larger percentage. 

MR. BOLGER: It would be interesting to 
see how the settlements went too. 


QUESTION: Concerning the supervisors re- 
porting on accidents, you seem to indicate that 
this supervisor knows what the problems are 
in this management system and you infer a 
great deal of validity to what this man is saying, 
how do you know that what he is saying is that 
valid? 

POPE: I don't know that I can take your 
question and give you the answer that you're 
looking for. The only thing that the aligned 
supervisor knows is that things are going wrong. 
What we've done is, we coded, we have a 
coding system, and we have given him a number 
■ of questions which he can respond to, we 
literally lend him towards. For example, if he 
thinks personnel is not giving him a problem or 
he has a problem, he then has a whole series of 
things he looks at under personnel and one of 
them would be staffing. If he has a lifting prob- 
lem, he can say, well we can go out and train 
them how to lift, yes, but I should have an extra 
man there too. He not only puts in that he has 
a condition of lifting but he also puts in that he 
has a personnel p-oblem related to staffing. 
Then, when we go to the computer and ask how 
many staffing problems we have had in accident 
situations related to personnel, we then can go 
back to personnel with a cause and a cost, we 
go by cost, and say to our personnel function 
that has something to do with staffing, do you 
realize that there Is a staffing problem gen- 
erally in this particular area of the organiza- 
tion which is shown by the number of cases that 
we've got that came out, not necessarily lifting 
but staffing was the problem in many other 
instances too. These people are not happy with 
their staffing situation and it has cost us this 
amount of money because of it; therefore, you 
have a responsibility, a concern to solve that 
particular problem, not me. 

QUESTION: I would like to ask Mr. Pinkel 
about the datafax accessibility. Is it accessible 
at the present time only to NASA contractors 
and NASA personnel? 

MR. PINKEL: Anyone can request the in- 
formation he wishes to have. It is available 
the community at large, ‘eally. No charge i.. 
involved. 
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MR. BOLGER: That is the Intent of it isn’t 
it? It is to be used for the nation as a whole, 

right? 

MR. PINKEL: It is for the nation as a whole. 
Of course, the interest is steered to the 
aerospace community, but anyone has a right 
to it. 

QUESTION: Would the information be in- 
accessible to any lawyer to get information for 

a law suit? 


MR. PINKEL: We can't keep a citizen from 
having access to the bank. 

MR. BOLGER: That poses the problem of 
who is going to put infoi-.iation in it, Right? 

MR. LEDERER: Then he can be sure of his 
facts before he distorts them. 

MR. PINKEL; We’ll distort them a little 
first, Jerry. 
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As a participant of the first Air Force- 
Industry Conference on System Safety in 1963, 
I remember the aims and claims of the pro- 
ponents of this new concept; the presentations 
on why System Safety programs were neces- 
sary; and other (hopeful) assurances that Sys- 
tem Safety programs would minimize the 
number of accidents involving new systems. 
After eight years, I believe we have neither 
achieved the alms nor fulfilled the claims. 
This paper will try to indicate why not, and 
why they can continue to fail. My experience 
has been with DOD activities, procedures, 
specifications and standards, and my com- 
ments are predicated on that experience. NASA 
personnel will probably be able to correlate 
those comments related to DOD with their 
own practices and problems. 

Let’s start at the beginning, with the initial 
requirement for a System Safety program in 
a Statement of Work. 

The item which can contribute most to 
failure of a System Safety program is am- 
biguity, lack of clear definition, use of ob- 
solete requirements, and pure typographical 
errors in a poor Statement of Work. 

This leads me to a set of axioms regarding 
contractors efforts. They apply to contractors 
for ditch-digging, the aerospace industry, or 
any other activity. They are not intended to be 
derogatory; they are merely basic facts of 
life wnich everyone should understand. 

Axiom #1 - No contractor will accomplish 
a task unless he is specifically and contrac- 
tually required to do so. 

Axiom 02 - No contractor will include in a 
proposal for a contract any uncalled for effort 
which will increase his cost so he might not 
be awarded the contract. 

Axiom #3 - Any requirement which is not 
clearly stated will be interpreted to the best 
advantage of the contractor. 

Axiom 04 - A contractor will pay more 
attention to a requirement which stipulates a 
penalty for noncompliance, than to a require- 
ment for which no penalty is indicated. 

When MIL-STD-882 was being coordinated, 
some engineers argued (and won) that no other 
specifications or standards should be refer- 
enced; they should be included in the State- 
ment of Work. Frequently they are not. Some 
Statements of Work still refer to specifications 
and standards which have long been rescinded. 


Add typographical errors, and the problems 
grow even more complicated. I have seen 
AFR. 127-100, Responsibilities fo^ the Ex- 
plosives Accident Prevention Program (which 
involves relationships between the Air Force 
and the Armed Services Explosive Safety 
Board), with which the contractor has no 
concern, cited when AFM 127-100, Explosives 
Safety, was meant. Axioms 01 and 3 apply in 
such cases. 

An especially miserable requirement I have 
seen in a Statement of Work is: "The prin- 
ciples in AFSC DH 1-6 will be observed." 

What principles? I found one and it 

was wrong. (In Design Note 4B2: Fuel/Pro- 
pellant Equipment, it states: "Component de- 
sign and selection must be based on the 
fail-safe principle, i.e., failure will cause 
minimum system degradation." Actually, the 
fail-safe principle is: first and foremost to 
prevent injury; secondly to prevent damage; 
and lastly, to prevent system degradation.) 

Next I would like to propound "Hammer's 
Law": The probability of failure of a System 
Safety program varies directly as the square 
of the time from system concept until a firm, 
clear, funded System Safety requirement is 
issued in a Statement of Work. If the require- 
ment isn't in early, there may be problems; 
if it is left until the end of development, don't 
expect much. It is easier to guide designers 
into safe practices than it is to change pre- 
pared designs. 

Another detriment to the success of any 
System Safety program is the use of "weasel" 
words in Statements of Work, specifications, 
standards and other criteria. Safety require- 
ments are indicated and then qualified by a 
following phrase, such as "as far as practi- 
cable" or "if practical". Or a paragraph will 
state: "Designers should consider the follow- 
ing:" and then list requirements. The designer 
considers them and then decides he'll stick to 
Axioms 1 to 4. If the procuring activity be- 
lieves there is a valid requirement, it should 
be stated clearly, firmly and without quali- 
fication. If the contractor cannot meet the 
requirement or wants to deviate, he should 
requeft approval from the procuring activity. 

Unless the safety requirements are stated 
clearly, and where they are readily apparent 
as firm requirements, some of them will be 
overlooked by designers. The Air Force has 
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placed much of its reliance for this on AFSC 
DH 1-6, which I believe failed miserably. The 
best document I have seen to this purpose is 
the Navy’s MlL-S-23069(Wep), Safety Require- 
ments, Minimum, For Air Launched Guided 
Missiles. It was issued in 1961 and requires 
updating and other revisions, but even now is 
very useful. 

The next major problem to accomplishment 
of a good System Safety program isMIL-STD- 
882 itself. The original System Safety speci- 
fication, which applied solely to the Air Force, 
was MIL-S-38130. It was prepared in the Di- 
rectorate of Aerospace Safety at a time when 
the Air Force was receiving new missiles 
and putting them into operational use with 
little prior warning of their hazards, and with 
inadequate safeguards. Some of the propel- 
lants were considered so toxic, reactive, and 
explosive that the Air Force hardly wanted in- 
formation on them revealed to the general 
public. MIL-S-38130 was therefore prepared 
to alert Air Force safety people against the 
next hazards coming down the pike; and sec- 
ondly, to permit safeguards to be provided 
during development. The Gross Hazard, and 
now Preliminary Hazard, analysis was stipu- 
lated; primarily for the alerting process, and 
then to initiate action to provide safeguards. 
This procedure nas generated problems and 
should be updated, 

I have contended for a long time that any 
system (or product) will have only a limited 
number of factors which will directly cause 
injury or damage. I call these "primary 11 
hazards. There are numerous and various 
contributory factors to each of these, but the 
primary hazards are limited. This is true 
whether an aircraft, space station, skate- 
board, tank, radar or washing machine i 
being considered. 

Figure 1 is a Safety Consideration Tree 
for a submarine, prepared to illustrate this 
contention. It is indicative of what can be 
done. People more knowledgeable of subma- 
rines can probably improve it. The block on 
"Injury" can be expanded in a manner similar 
to the one on "Damage", The trees are easy 
to prepare, and should be prepared by the 
procuring activity for each system for whose 
development it is responsible. After a few 
iterations and reiterations, some fine trees 


will result. Information derived from them 
can be put to many uses*. 

a. The various factors which can affect 
safety and which must be considered in the 
development of a system or product are readily 
apparent. There will be no need for a Pre- 
liminary Hazard Analysis, The first advantage 
to this is that it will eliminate a sore point 
for competing contractors. No contractor likes 
to point out that hazards exist in his system, 
A contractor with the better System Safety 
engineer might be able to point out more 
hazards, making his design appear more 
dangerous, than that of a competitor with a 
less knowledgeable System Safety engineer. 
With this method, the contractor will not have 
to make a Preliminary Hazard Analysis. He 
can get on with his more detailed analys *s. 

b. MIL-STD-882 now requires a Prelimi- 
nary Hazard Analysis be prepared for use in 
the next phase of development. If one wasn’t 
prepared in the previous phase, a problem 
arises. With the concept I envision, the pro- 
curing activity will indicate the problem areas 
which they have established from the Safety 
Consideration Trees; the contractor indicates 
in his proposal how he will handle them; the 
procuring activity either approves or requests 
more satisfactory information until it does 
approve; and things get started immediately, 
in the current program. This method can be 
used even in the Concept Phase where the 
contractors would be required to indicate 
their provisions for safety for each of the 
problem areas, in their system specifications. 
This is the point at which ncorporation of 
safety requirements is needed most. Remem- 
ber Hammer’s Law! 

c. When contractors are given the same 
firm requirements on which to estimate and 
prepare their System Safety efforts, they will 
be more comparable. The effort, manpower 
and cost of each task can be broken down and 
evaluated more easily. The procuring activity 
will also find proposals easier to evaluate if 
they are consistent in substance. 

There are other advantages to us* of a 
method such as this; 

♦Data files can be established using the 
same coding as that shown on the trees. 

♦The Armed Services can ensure that each 
factor or problem is covered by a suitable 
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requirement for safety in a military 
specification or standard. 

♦Personnel working on any program can 
be assigned to those problems which they 
are mo ,t capable of handling. 

♦It is a logical method of attacking safety 
problems, instead of waiting until a prob- 
lem jumps out of the bushes. 

MIL-STD-882 creates more problems. The 
use of the four hazard categories is a case in 
point. Those categories generate more prob- 
lems than they are worth. First of all, they 
require clarification if they are to be used for 
any purpose. What is meant by "major system 
damage” or "severe injury”? If the various 
categories are defined well enough by each 
procuring activity to indicate clearly what 
they want them to mean, you will have a 
Preliminary Hazard Analysis. 

The second problem with the four hazard 
categories is that too much time is spent try- 
ing to decide into which category each problem 
falls; and then to justify the choice. There are 
other reasons for which the categories should 
be eliminated (they overlap, detract from the 
effort of minimizing and controlling hazards, 
etc.) which will not be discussed here. 

MIL-STD-882 applies to System Safety 
programs; it has no technical safety require- 
ments, such as MIL-STD-454. If the technical 
requirements are not included in the Statement 
of Work, or by the contractor himself (watch 
out for Axiom #2), they will not become 
criteria to be observed. A solution is to re- 
quire the System Safety Program Plan to be 
<3'ibmitted as part of the contractor's proposal, 
bvci, better, this proposal should be submitted 
as a separate line item. 

One more point about MIL-STD-882 and 
the Plan; AFSC Form 1664 for Contract Data 
Requirements states that the Appendix to 
MIL-STD-882 "shall be used” when preparing 
the Plan. Since the Appendix and the text of 
the standard do not jibe, it generates prob- 
lems, Contractors observe the four axioms 
I have presented; but when a requirement is 
presented, they are very conscientious about 
its observance. So when a requirement says 
"shall" they want it that way, even if we Sys- 
tem Safety engineers say mat MIL-STD-882 
cites it as a sample, and that it is not very 
good, they still want it that way because the 
1164 says "shall." 


I don't have many gripes about managers, 
especially when I realize they are acting within 
the four axioms I pointed out. Other than that 
I can only say that contractor (and maybe 
procuring activity managers too) have a hard 
time understanding that System Safety engi- 
neering extends beyond the safety considera- 
tions of design, reliability, maintainability, and 
human factors engineers. And very frequently 
it requires a redirection of their thinking when 
we indicate that System Safety includes mini- 
mizing damage of hardware, which was for- 
merly a responsibility of reliability. 

Often, this results in a failure to support 
the System Safety program properly. Another 
management solution is to appoint one or two 
men as a System Safety organization, and to 
direct that representatives in various design 
groups, systems engineering, test, reliability, 
maintainability, and other functional areas 
will perh‘ ■ n the necessary System Safety 
tasks for their organizations. From what I 
have seen, it doesn't work. Everyone may be 
very conscientious about it, but such an ar- 
rangement does not work. 

The last problem I have encountered with 
managers is that many believe that any re- 
quirement involving probabilities, such as a 
quantitative safety analysis to determine 
whether a specified level is being met, should 
be handled by the reliability engineers. Per- 
haps they believe System Safety is an exten- 
sion of the hard hat-hard shoe school of safety 
and that System Safety engineers know nothing 
about the more theoretical aspects of engi- 
neering. 

Some of these problems with management 
may actually be due to the System Safety 
engineer: 

a. Many have not gotten beyond the 1963 
stage when talks were common on "Why 
System Safety Is Needed." (If there is no Sys- 
tem Safety requirement in the Statement of 
Work for a contract, there is no point in bring- 
ing up "Why System Safety Is Needed," Begin 
looking for work elsewhere.) System Safety 
engineers have done little tc advance this 
discipline to a point where it can be recognized 
as something different from reliability and 
human factors. (Perhaps like Moses in the 
desert after the Exodus from Egypt, we need 
a new more energetic generation to take over, 
to forget the past, and accomplish new things.) 
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b. Many System Safety engineers don*t know 
where to start a program or analysis. They 
then do either of two things; wait for some- 
thing to rise up out of the bushes with which 
they can struggle; or they get onto the paper- 
work and meeting treadmill. They attend 
meetings and then write memoranda on the 
safety aspects. In between, they review the 
masses of papers which deluge them if they 
on the paper route. To these people, the ap- 
proach I have indicated may be helpful in 
trying to figure out which way to go. 

c. Some System Safety engineers arc ar- 
dent proponents of checklists (I used to be one). 
Actually, checklists are ineffective for many 
reasons. Generally they are too late; the design 


has been agreed upon and frequently accom- 
plished; often they are too general (DH 1-6 
is in this category); and lastly, if they are not 
based on firm requirements (Axiom #1), it 
is generally difficult to have the designs 
changed. 

This paper has gotten rather long. In sum- 
mation, I will say that if there is one thing 
which can make a System Safety program fail, 
it is lack of clarity: 

♦Lack of clear requirements by the pro- 
curing activity. 

♦Lack of clear understanding of System 
Safety by other managers. 

♦Lack of a clear methodology to be em- 
ployed by System Safety engineers. 
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The system safety discipline has existed 
for several years now as a rather well defined 
concept. There has been very little argument 
as to the desirability of the system safety 
objectives. In fact, among many of those who 
know what these objectives are, there even 
has been generated a fair amount of what can 
only be described as "religious fervor" at the 
prospect of achieving the goals of system 
safety. But, with its well-organized, logical 
and comprehensive approach to accident pre- 
vention, the application of the system safety 
concept in practice has not been as rapid and 
effective as its attributes would warrant. 

The United States Army Board for Aviation 
Accident Research (USABAAR) is vitally con- 
cerned with the application of system safety, 
particularly with respect to new developmental 
Army aircraft programs. USABAAR serves 
as the central agency for the Army Aviation 
Accident Prevention Program which includes 
the receipt, processing and analysis of all 
data and information related to Army aircraft 
accident experience. This paper discusses 
the means by which USABAAR now utilizes 
this vast store of historical accident data in 
the implication of the system safety concept 
for developmental aircraft. While the methods 
described here admittedly fall short of realiz- 
ing the full potential benefits of using our past 
accident experience, we feel that significant 
steps have been made in that direction. As 
more experience is gained in the application 
of these methods, certainly many refinements 
and improvements will follow. 

The history of an accident can be gen- 
eralized and simplified as shown in Figure 1. 
This depiction will be used throughout the re- 
mainder of the paper as methods are discussed 
which pertain to each segment of the diagram. 

REQUISITE CLIMATE 

Requisite climate, or "hazardous condi- 
tions" as it might be called, indicates that the 
stage for an accident must be properly set. 
If the proper conditions are not present, no 
accident will occur. These conditions involve 
the familiar triad of accident factors: man, 
machine and environment; plus the overall 
factors of command, management and super- 
vision. 


The command or management influence 
existing in an operation may play a significant 
role. Some casual remark by the commander 
at a mor.-ing briefing may quite innocently 
start a chain of events leading to catastrophe. 
Such influence most likely will concern the 
urgency of the mission to be performed, the 
quality of r» wits desired or the belittling of 
problems, obstacles and risks. The result 
may be that the impression of "accomplish 
the mission whatever the cost" is conveyed 
which is tantamount to indorsing recklessness. 

The condition of the people involved is 
perhaps the most complex factor present. The 
physical condition, state of mind, morale, 
proficiency and a wide variety of physiologi- 
cal and psychological factors all interrelate 
in a complex way to affect the potential human 
involvement in an accident. Change one small 
item and an accident could be averted. 

Tne condition of tho machine also involves 
a highly complex functional relationship of 
hardware which must exist in Just the right 
way before an accident can occur. This rela- 
tionship includes maintenance practices, worn 
pieces/parts, age of the equipment, design 
deficiencies, operating limitations anc others, 
the complexity with newer sophisticated air- 
craft. 

Environmental conditions cover an ex- 
tremely broad range of phenomena including 
weather, terrain, operational situation, air 
traffic control airfield facilities and many 
more. The true influence these conditions on 
accidents is most often either not known or 
ignored, 

MANIFESTATION OF HAZARDS 

"'he worst possible combination of all the 
conditions listed above could conceivably exist , 
and no accident would result unless 6ome 
hazard manifested itself. Given the requisite 
climate the manifestation of the proper hazard 
initiates the accident sequence. This sequence 
can usually be divided into two or mo; e main 
occurrences, precipitating and sustaining 
events. 

The sequence will start with seme trigger 
event which can be produced by a staggering 
variety of causes; again involving man, ma- 
chine, environment and management or any 
combination of the four. Until th* * time, the 


66 


factors present In the requisite climate have 
played a passive role in the accident where 
the cause- effect relationship is usually not 
very precise. With the occurrence of the 
trigger event, however, the sequence of events 
which follow is usually quite predictable. What 
was a potentially hazardous condition before 
will now manifest Itself through some event 
which, in Itself, may never be considered 
hazardous. For example, shutting down one 
engine in a twin engine aircraft at altitude 
may present no hazard whatsoever. Shutting 
down 'hat same engine while cn short final 
approach during an emergency landing be- 
cause the other one failed earlier could 

and did - - - have catastrophic consequences. 

Rarely does an accident occur as a result 
of one single event. There is usually a series 
of several events which follow the trigger 
event in sequence up to the accident itself. 
These can be called "sustaining events", if 
they do not occur, the accident sequence is 
broken. 

Thus, given a requisite din ate or poten- 
tially hazardous conditions, the accident se- 
quence begins with a trigger event, is carried 
forward through sustaining events and an 
accident occurs. 

UNDESIRABLE EFFECTS 

If all this just described did not produce 
consequences which we wish to avoid, there 
would be no safety effort at all. It is really the 
undesirable effects of accidents themselves 
which justify our attempts at accident pre- 
vention. If this statement seems a trifle too 
basic and should have gone without saying, 
consider the possibiUr that we as safer'/ 
specialists may haw tended to lose sight of 
these undesirable effects of accidents as our 
basic motive force. Perhaps we have not con- 
centrated sufficient attention on all the adverse 
consequences we are trying to preclude. We 
. ilow ourselves to become completely ab- 
sorbed and obsessed with safety techniques, 
methodology and philosophy for their own 
sakes wlthoc* maintaining a clear view of our 
ultimate objective - minimizing these efforts. 

The effects of accidents can be grouped 
into two genera! areas with ti e respect to 
time. First, the abrupt damage and destruction 
to materiel plus injury and death to personnel 


are the immediate consequences of an acci- 
dent. Accidents are classified as to the degree 
of severity of these immediately observable 
effects. MIL-STD-882, the system safety 
standard, categorizes hazaros in terms of 
their potential effects on materiel and per- 
sonnel s. ould an accident result from the 
hazard. Bur cuch categorization is not the end 
event; in a sense, it should be only the be- 
ginning of the analytical process to determine 
effects of accidents. 

The second grouping of consequences fiom 
accidents includes the long rang" effecto, those 
perhaps not Immediately ot uervabie and which 
have an impact far beyond the time and geo- 
graphical location of the accident Itself. To 
the Arrny, these effects add up to a tcial cost 
in terms of lost or degraded mission ef- 
fectiveness or capability. It Is not i . all far- 
fetched to say that each aircraft accident, no 
matter how insignificant in terms of immed- 
iate consequences, has some adverse effect 
on the capability of the Army to accomplish 
Its mission. It logically follows, then, that if 
the total number <*•* aircraft accidents is sub- 
stantial, then the impact on mission effective- 
ness also will be substantial. 

At any given po.nt in time tne a- r iplisb- 
ment of the Army mission requires that cer- 
tain aviation resources, people and materiel, 
he available. The degree oi non- availability 
of these resources logleal'y has a direct 
beaming on the ability to accomplish the 
mission .... mission effectiveness. Since we 
obviously cannot acquire these resources in- 
stantaneously, we must not only project what 
our missions will be In tne future, but also 
estimate what total aviation resources will 
be requited in light of that future mission. 
Such estimates and projections are made for 
as far into the future as practicable and are 
then refined as time goes on. It is an ex- 
tremely complex process, rc the least part 
of which Involves projecting the status of the 
current aircraft inventory, aviation personnel 
and facilities situation. Any shortfall of quan- 
tity, quality or capability in our projected 
Inventory, personnel or facilities compared 
with our estimated requirements gives the 
basis for planning fo acquire these resources. 
If we err, and underestimate our losses In 
aircraft and personnel, for Instance., or do not 
adequately provide for quality in new aircraft. 
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an adverse impact on mission effectiveness 
is the result. 

The main thrust of USABAAR's use of 
accident data for future aircraft programs 
is to estimate the long range impact on mis- 
sion effectiveness through the proper analysis 
of this data. Unless we fully consider the far- 
reaching effects of accidents on people and 
materiel, we are not fulfilling the objectives 
of the system safety discipline. 

ACCIDENT DATA 

Accident prevention programs have tradi- 
tionally operated on the basic premise that if 
the causes of accidents could be determined, 
preventive measures could then be developed 
to eliminate the causes. Following this prem- 
ise, the primary task has been the acquisition 
of data and information through an accident 
investigation and reporting system. This task 
is performed exceptionally well today. Several 
years of diligent sleuthing, exhaustive inter- 
viewing ot witnesses, ar.d ever, precise labora- 
tory analysis by both highly skilled and ama- 
teur investigators have produced an immense 
store of data and information on the causes of 
aircraft accidents. A significant portion of the 
safety effort of all military services, the Fed- 
eral Aviation Agency, the National Transporta- 
tion Safety Board and civilian aircraft manu- 
facturers and operators is devoted to merely 
processing this wealth of data and infor- 
mation. 

The results of accident investigations have 
usually been recorded in the form of a de- 
scription of the accident sequence of events: 
the confirmed or suspected cause factors; 
recommendations to prevent recurrence and 
general factual data such as date, time, place, 
type aircraft, crews members, injuries, fa- 
talities, etc. In general, the immediate con- 
sequences of the accident are recorded along 
with the events which led up to the accident. 
Quite often, but not always, it is possible for 
a thorough investigator to delve far enough 
into the past to well define the hazardous con- 
ditions which existed some time prior to the 
accident thereby enabling the accident to 
occur. 

Until fairly recently, the primary use of 
all tills data was to provide a source for vari- 
ous totals and rates reflecting only rhe most 


general accident information. The key param- 
eter for safety has been the periodic acci- 
dent rate, the number of accidents divided by 
the number of hours flown. Accident "costs" 
have been reported by totalling acquisition 
"book value" for destroyed aircraft and repair 
costs for damaged machines. Fatalities have 
been totalled as have injuries, but with vari- 
ous criteria being used to describe severity 
of injuries. Cause factors have been lumped 
into a very few categories which then have 
been totalled. Among the most usually cited 
factors are crew error, materiel failure or 
malf -nction, weather and maintenance error. 
Degrees of severity of accidents have been 
classified from "total loss" to "incident" 
depending on the extent of damage and injury. 

Certainly, this most general treatment of 
accident data had a significant in. pact several 
years ago when compared with the even earlier 
situation when nobody even knew how many 
accidents they had been having. Initially, the 
concentration of attention on safety supported 
by only the most superficial analysis of acci- 
dent data produced dramatic improvements. 
The magic "accident rate" began to drop 
rapidly as if to prove conclusively that such 
measurement of the problem was all that was 
necessary to solve it. 

IMPROVED DATA SYSTEM 

These methods which served the cause of 
accident prevention so well in the past are no 
longer adequate. There are widespread efforts 
underway for the development of more sophis- 
ticated data systems for safety. These efforts 
show that traditional parameters used to 
measure mishap experience cannot be used 
directly to solve many accident prevention 
problems today. Only a few deficiencies which 
have caused accidents in existing aircraft 
can be pinpointed sufficiently to correct the 
problem. For the rest of the problems in 
existing aircraft and for all of the potential 
hazards in a developmental aircraft, the iden- 
tification of these old, generalized parameters 
does little but indicate a broad area of inter- 
est in which detailed analysis and specific 
evaluation is required. The detailed effects 
on mission capability must be identified to 
justify corrective action and the cost of such 
action. 
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To enable USABAAR to respond in this 
manner, completely revised accident report- 
ing forms have been developed and put into 
use recently which greatly expand the f cope 
and detail of information provided as a result 
of investigation of the accident are recorded 
along with the events which led up to the 
accident. Quite often, but not always, it is 
possible for a thorough invescigator to delve 
far enough into the past to well define the 
hazardous conditions which existed some time 
prior to the accident thereby enabling the 
accident to occur. 

Until fairly recently, the primary use of 
all this data was to provide a source for 
various totals and rates reflecting only the 
most general accident information. The key 
parameter for safety has been the periodic 
accident rate, the number of accidents divided 
by the number of hours fiown. Accident "costs" 
have been reported by totalling acquisition 
"book value" for destroyed aircraft and repair 
costs for damaged machines. Fatalities have 
been totalled as have injuries, but with various 
criteria being used to describe severity of 
injuries. Cause factors have been lumped into 
a very few categories which then have been 
totalled. Among the most usually cited factors 
are crew error, materiel failure or malfunc- 
tion, weather and maintenance error. Degrees 
of severity of accidents have been classified 
from "total loss" to "incident" depending on 
the extent of damage and injury. 

Certainly, this most general treatment of 
accident data had a significant impact several 
years ago when compared with the even 
earlier situation when nobody even knew how 
many accidents they had been having. Initially, 
the concentration of attention on safety sup- 
ported by only the most superficial analysis 
of accident data produced dramatic improve- 
ments. The magic "accident rate" began to 
drop rapidly as if to prove conclusively that 
such measurement of the problem was all that 
was necessary to solve it. 

IMPROVED DATA SYSTEM 

These methods which served the cause of 
accident prevention so well in the past are no 
longer adequate as evidenced by the compara- 
tively recent development of more sophisti- 
cated data systems for safety. The traditional 


parameters used to measure mishap experi- 
ence cannot be used directly to solve many 
accident prevention problems. Only a few de- 
ficiencies which have caused accidents may 
be able to be pinpointed sufficiently to correct 
the problem. For the rest of the problems in 
existing aircraft and for all of the potential 
hazards in a developmental aircraft, the iden- 
tification of these old, generalized parameters 
does little but indicate a broad area of in- 
terest in which detailed analysis and specific 
evaluation is required. The detailed effects 
on mission capability much be identified to 
justify coorective action and cost of such 
action. 

To enable USABAAR to respond in this 
manner, completely revised accident report- 
ing forms have been developed and put into 
use recently which greatly expand the scope 
and detail of information provided as a result 
of investigation. The new forms were designed 
to take maximum advantage of a vastly im- 
proved data processing capability at USABAAR 
using a large digital computer. A completely 
new management information system has been 
constructed around thi~ computer and is now 
in use. 

It was realized early in the planning stages 
of the new USABAAR data system that it would 
not be good enough if all the computer could 
eventually do was produce the same sort of 
totals and rates produced previously. One 
skeptic, early in this planning stage remarked, 
"We're going to be able to arrive ar the same, 
old general conclusions . . . only faster!" It 
has not worked out that way for one basic 
reason. The speed of the computer has enabled 
the efficient processing of timely data in far 
greater detail than ever before. This is the 
key to the success of a modern accident data 
system. 

The production of this much more defini- 
tive data already has significantly improved 
our capability to do the following: 

a. Conduct in-depth studies and analyses 
to determine the long-range effects of acci- 
dents. 

b. Clearly define the sequence of events' 
and the mechanism by which hazards manifest 
themselves. 

c. Comprehensively define the hazardous 
conditions which must exist prior to initiation 
of an accident sequence. 
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d. Pinpoint areas for specific corrective 
action, specify the action required and estab- 
lish priorities for action. 

e. Forecast measures to limit the requi- 
site climate and inhibit hazard manifestation 
while at the same time placing such actions in 
context with their Influence on the long-range 
undesirable effects of accidents. 

DEVELOPMENTAL AIRCRAFT 

We have recently developed methods by 
which this expanded capability can be applied 
"before-the-fact" to developmental aircraft 
systems. It is here that the most fertile ap- 
plication of our management information sys- 
tem is to be realized. These methods have 
shown that the gap can be successfully bridged 
between historical accident data on a fleet of 
existing aircraft in various stages of obsoles- 
cence and potential hazards in future aircraft 
which now exist perhaps in concept only. 

The system safety discipline furnishes us 
with the overall management tool by which we 
can optimize the conservation of resources 
through the prevention of accidents before 
they happen, that is, to design safety into our 
aircraft systems. The heart of this process 
is hazard analysis in which the system is 
examined in a methodical, comprehensive way 
at each stage in its development to isolate 
hazards present. At some point in time, how- 
ever, the moment of truth arrives when de- 
cisions have to be made as to what to do about 
hazards identified through analysis. Some- 
times there is no penalty to correct or elimi- 
nate a hazard. Sometimes the hazard is so 
great that its elimination is mandatory regard- 
less of the penalty. But the vast majority of 
hazards which are identified through system 
safety analysis fall somewhere in between. The 
question then becomes, "How bad do we want 
to eliminate these hazards?" Heretofore, the 
system safety engineer could only fall back 
on the MIL STD 882 category he has assigned 
the hazard. He has not been able to relate this 
hazard to future adverse long range conse- 
quences. His categorization has only addressed 
the immediate effects. 

History has shown that new operational 
aircraft systems rarely incorporate a very 
large number of advanced technological fea- 
tures. Rather, new aircraft represent rational 


growth versions of previous aircraft with im- 
provements being made where practical and 
high technical risk features being held to a 
minimum consistent with performance re- 
quirements. The point is, in dealing with new 
systems, there is usually not that much really 
"new" about them. Those features of a de- 
velopmental aircraft which are not new pro- 
vide the place where accident data on previous 
systems is most directly applicable. 

It is logical to expect that previous acci- 
dent experience will be used in the design and 
operation of new aircraft so that cause factors 
noted in the past will not recur. To a disturb- 
ing degree, this has not been the case. There 
are several instances of the same feature 
which caused accidents in earlier aircraft 
being duplicated in newer models. One good 
example is the use of "redundant" systems in 
critical areas. Acknowledging that loss of 
hydraulics for flight controls would be cata- 
strophic, one fairly recent design provided 
for two hydraulic systems, including two 
pumps - both driven by a single shaft of in- 
adequate strength. Another design approached 
the same problem by also providing two hy- 
draulic systems, but with all the hardware 
and plumbing co-located greatly increasing 
the chance of double failure from one event. 

Such deficiencies as these were not negli- 
gently designed into the new system. Perhaps 
such designs were the result of Ignorance - 
designers just didn't know we had supposedly 
already learned that lesson. More likely, how- 
ever, it was probably felt that previous acci- 
dent experience of one type of aircraft just 
did not apply to the "new" aircraft on the 
drawing boards. 

This applicability of accident data is a real 
problem when trying to justify certain safety 
features in a yet unborn aircraft. USABAAR 
came face to face with this problem a few 
years ago when we attempted to prove, through 
accident statistics, that the Utility Tactical 
Transport Aircraft System (UTTAS) should 
have two engines. Since we had no twin engine 
utility helicopters in the Inventory, we used 
accident data from the CH-47 Chinook, a twin 
engine light cargo helicopter and compared 
that data with the single engine UH-1 Iroquois 
data. As it turned out, one model of the UH-1 
actually had a better accident rate than the 
CH-47. Obviously, this did our argument no 


70 



is 

h 


* 


•r-' 





good. Other comparisons, using available ac- 
cident data, showed some advantage for two 
engines, but not in the clear cu'. manner we 
thought it should. When the case was presented 
for decision, our arguments were unconvinc- 
ing. We were told our reasoning was essen- 
tially faulty since a CH-47 differs so greatly 
from a UH-1 that they just could not be di- 
rectly compared. They are of different size, 
have different missions, and do not even 
appear in the inventory in comparable quan- 
tities. In short, we had attempted to compare 
"appies and oranges to justify peaches." 

This setback caused us to seriously ponder 
the factors which would make a difference in 
decisions such as for the twin-engine UTTAS. 
Our conclusion was that accident statistics 
just do not speak for themselves. The develop- 
ment of improved analytical techniques for 
processing accident data could not stop short 
of assessing the long range impact of acci- 
dental losses. Whereas, for the UTTAS ques- 
tion, we had compared single vs. twin engine 
accident rates, materiel failures, injuries, 
and deaths, degrees pf damage and costs; we 
could not estimate, for example, the number 
of single engine UTTAS aircraft that would be 
lost due to engine failure and how those losses 
would affect the number we had to procure 
initially. This kind of estimate would have had 
3 direct bearing on the decisions being made. 

Today, USABAAR is carrying its analytical 
work several steps farther than before and 
doing it in much greater detail. While there is 
much work yet to do, progress has been made 
in several significant areas. 

One area much in need of improvement is 
the design of future aircraft systems for the 
specific environment in which they are in- 
tended to operate. This consideration is not 
new, in itself, but the detail to which the 
operating environment must be specified is 
new. A major effort is now underway to clearly 
define the environment im which Army aircraft 
are expected to operate in the future. Given 
this definition, USABAAR is now in a better 
position to identify the specific environmental 
conditions which favor accidents and to specify 
detailed design criteria to counter tnese con- 
ditions. 

Besides the greater detail now reported 
from accident investigation, there is another 
significant improvement which has been 


made in our data system. A uniform method 
has been developed to translate the complex 
details of each mishap into data which can be 
stored and retrieved by the computer without 
losing the essential ability to differentiate 
between the details of each accident. Called 
"ABACUS", which stands for Aircraft Basic 
Accident Causes, U.S, . Army, this method 
prescribes a vocabulary and syntax for en- 
coding cause factors of aircraft accidents 
using a key word concept. Coding of accident 
information used to be a matter of fitting each 
set of circumstances to one of a limited num- 
ber of rigid preconceived statements which 
seemed to best describe the event. Obviously, 
this procedure did not allow for distinction 
between similar situations where the differ- 
ences were highly significant when it came to 
specifying corrective action. ABACUS, on the 
other hand, allows for nearly complete free- 
dom tp record the specific circumstances 
surrounding each individual mishap. 

Statements concerning accidents are con- 
structed using approximately 650 key words 
and phrases. They are combined in a pre- 
scribed sequence to describe phase of op- 
eration, subject, action verb, subject manner, 
subject position and/or condition, main object, 
object qualifier and reason. In addition, to 
these key words and phrases, aircraft nomen- 
clature is also included using an abbreviated 
version of the aircraft parts catalog system. 
While the number of aata elements available 
for use is still somewhat limited, the system 
allows for an extremely large number of 
possible combinations. 

Probably most important is the fact that 
retrieval of data in a usable form is greatly 
facilitated through the use of ABACUS. Depend- 
ing on the purpose of the analysis to be per- 
formed, any combination of ABACUS words, 
phrases or aircraft descriptors can be used 
as an argument with which to query the data 
bank. This exceptional flexibility in output 
means that the entire data base can be focused 
rapidly on virtually any conceivable accident 
prevention problem. We are no longer limited 
by inadequate or unusual data but only by our 
imagination in how to use the available data. 

Using the matrix generating capability of 
the computer, we have greatly expanded our 
ability to compare the more detailed elements 
of Information now acquired through accident 
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investigation. From the large number of pos- 
sible combinations, relationship, between the 
most significant data elements have been es- 
tablished as indexes for various areas of 
interest. 

One such area is fire in aircraft. A "Fire- 
worthiness Index" has been developed which 
measures all detailed factors relating to the 
incidence of aircraft fires and the immediate 
and long range effects. This index is estab- 
lished for each type, model and series air- 
craft in the inventory so that rankings between 
aircraft can be obtained. All the known ele- 
ments In Fig. 1 are included. Given the de- 
tailed insight into past fire experience specific 
operations and aircraft configurations are then 
evaluated to determine those conditions which 
affect the index. The specification of fire- 
worthiness criteria for future aircraft, than, 
follows this evaluation directly. Furthermore, 
a relative priority can be attached to these 
criteria based on the fireworthiness index. 
For design criteria, the "index" approach is 
being used to make recommendations in terms 
of alternatives expressed as functions of the 
long term impact on mission effectiveness. 
At present, these recommendations are mostly 
general in nature, but as our analytical studies 
are completed, more specific criteria will be 


developed. For developmental specifications, 
in addition to the estimate of long range im- 
pact, we will make recommendations in terms 
of alternatives expressed as functions of pro- 
gram costs, schedule and system performance. 
Such estimates will be of maximum benefit to 
the project manager and as such, maximize 
the effectiveness of system safety efforts in 
a program. 

This has been a very general discussion 
of how USABAAR has begun to solve the dif- 
ficult problem of using historical accident 
data in new developmental aircraft programs. 
By this discussion we do not wish to minimize 
the importance of continuing to develop im- 
proved analytical methodologies. More sophis- 
ticated techniques employing better predictive 
and quantitative procedures are sure to find 
widespread use in the future. We feel that the 
surface has only been scratched and that we 
have embarked on a course that will lead us 
eventually to the most effective attainment of 
the system safety objectives. 
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SUMMARY 


As the title implies this is a discussion of 
various issues and requirements which must 
be considered during the actual work of Safety 
Assessment, and does not deal with all the 
aspects of a complete programme. 

The task and its objectives are considered 
and the importance of presentation is stressed, 
so that problems and their solution are dis- 
played adequately to the many disciplines in- 
volved, The definition of areas of influence to 
which the requirements can be applied and for 


which safety objectives can be derived, is 
discussed. The use of rational requirements 
is considered in this context, as is the use 
of numerical methods in the exercise of 
judgement. 

It is also emphasized in the course of this 
paper that the assessment is a discipline 
which directs the appropriate skills at the 
problems as required, and must never be 
interpreted as a means of replacing these 
skills. 
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1 INTRODUCTION 

Much has been said on both sides of the 
Atlantic on the subject of Safety Assessment, 
and, in fact, it is probably right to say that 
it has all been said. There is for example, 
a lot of information published by various 
Government Agencies, which has been 
written as part of their procurement ac- 
tivities, and this has been of immense im- 
portance with its emphasis on the orderly 
application of safety analysis. However, it 
is thought to be generally true that although 
all the material is there in advisory form, 
its application is subject to much freedom 
of interpretation, and assessments have 
been made within these frameworks at many 
different levels, and perhaps with varying 
objectives. It seems opportune, therefore, 
to take another look at the complex path 
through the safety assessment process, as 
simply as possible, with the object of high- 
lighting the principles involved. 

Discussion can range from the admin- 
istrative structure necessary in the manu- 
facturing company down to the specific 
statistical techniques required to deal with 
the validity of a test programme; from the 
type of personnel required in a safety or- 
ganisation and the methods employed to 
make the biggest impact, or, perhaps, the 
influence of the computer cn the safety 
programme. Problems of documentation and 
format are by no means unimportant in this 
subject and have been discussed in depth. 
Many other aspects merit separate con- 
sideration and all can have a major influence 
on the approach to safety. This rather daunt- 
ing appreciation of the field emanates from 
my work in the European aircraft industry 
and from a recent opportunity to look at 
safety assessment in a variety of American 
Aerospace organisations and is given to 
emphasise the fact that the subject matter 
of this paper is strictly in line with its title. 
Consequently, I propose to touch upon vari- 
ous issues and requirements which must be 
considered during the actual work of Safety 
Assessment, with the intention of stimulat- 
ing discussion of the basic approach which 
should be made. 


2 SAFETY ASSESSMENT TASK 

The Safety Assessment task is to ensure 
that the design, construction, and operation 
of the device being investigated is suffi- 
ciently safe for its projected use. This re- 
quires the assurance that all foreseeable 
faults and critical situations have been ade- 
quately taken into account. Critical situa- 
tions will include any such conditions which 
may arise when systems ire working in the 
fault free mode and must take account of 
external events. 

The demands of a statement such as this 
are immense and, apart from the application 
of the engineering and other skills involved, 
have given rise to the creation of many pro- 
cedures involving different logic and docu- 
mentation in order to assist in its satis- 
faction. 

If we endeavour to state with more 
precision the process necessary to carry 
out the task the following requirements 
arise:- 

(a) To define the safety objectives. 

(b) To display the design, construction, and 
operation of the vehicle in such a manner 
that its potential weaknesses are clearly 
revealed. 

(c) To ensure that the best judgement in the 
skills relevant to the problem and its 
interfaces has been brought to bear. 

(d) To show to the satisfaction of all con- 
cerned that the safety objectives for the 
complete vehicle and its operation have 
been met. 

If the Safety Assessment satisfies these 
requirements the detailed procedure is not 
important and depending upon the technology 
involved, and the possible hazards, many 
perfectly adequate methods are available. 
However, because of the contributions of 
different technologies to aerospace vehicles, 
some standardization on a given project is 
obviously desirable. In articular a stand- 
ardised approach to safety assessment 
should facilitate the feed back of operating 
and servicing data, as experience accumu- 
lates, so that the aspects can be readily 
up-dated. 
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3 DEFINITION OF SAFETY OBJECTIVES 
3,1 Background 

Where the overall engineering of 
aircraft components and systems is 
concerned, safety objectives have been 
defined in terms of good engineering 
practice, and this has been implemented 
by ensuring compliance with arbitrary 
design rules developed in each suc- 
ceeding generation of aircraft on which 
experience has been obtained. Where 
successive designs have produced rela- 
tively small increases in weight and 
speed it has not been too difficult to 
continue safety assessment processes 
which require establishing that good 
engineering practice is being followed, 
and the satisfaction of certain arbitrary 
rules stated in the airworthiness re- 
quirements. However, when the de- 
signer is asked to produce spectacular 
Increases in speed, weight or airfield 
performance, an entirely new depend- 
ence on particular systems may arise 
which may have considerable complex- 
ity and require a more detailed under- 
standing of the interfaces for safety 
reasons. In these cases, it becomes 
progressively more difficult to carry 
out safety assessments on a subjective 
basis, related to arbitrary design rules. 
The fundamental assumptions which 
have been made in most approaches 
during the last decade are:- 

(a) System engineering can be ade- 
quately assessed against the testing 
and experience gained with previous 
systems. 

(b) Adequate safety criteria can be given 
in terms of formalised experience 
and arbitrary statements of good 
engineering practice. 

(c) By complying with these criteria, 
and using the developing skills of 
the assessor the aircraft can be 
made to demonstrate In service a 
safety record expressed on a basis 
of fatal accidents per flight or per 
hour etc. which will be an improve- 
ment on previous experience. 


It seems necessary to emphasise 
these points to demonstrate that safety 
has always depended upon the extra- 
polation of experience and the use of 
the designers' skills. The aim should 
be to provide the best framework of 
objectives, and techniques of assess- 
ment, so that this approach can be 
continued into areas where additional 
system dependence, interaction prob- 
lems, etc., are making the task more 
difficult. 

3.2 Rational Requirements and Major Ob- 
jectlves 

We can now say that to give more 
precision to the statement of objectives 
and the classification of hazards we 
will specify a rational system of re- 
quirements which we will use in the 
more advanced applications, and which 
can be related statistically to the level 
of airworthiness required when the air- 
craft enters service. 

For example we can consider the 
airworthiness standard TSS 1-1 which 
Is applicable to Concorde. 

The object of this sort of require- 
ment is to erect a framework which 
allows a more explicit statement of the 
objectives, hazards and their probabil- 
ities than has been usual hitherto. This 
is not to say that adequate assessments 
have not been performed, but it is being 
suggested that it is advantageous to in- 
dicate more clearly than in some past 
assessments why the decisions affecting 
Safety have been taken. 

An important aspect of this, to which 
reference has already been made, is 
that service experience can be more 
readily referred back to the basic de- 
sign assessment particularly where re- 
dundancy has permitted lowMTBF. 

Very considerable care has been 
taken with the requirement to allow the 
various frequency levels to be defined 
where necessary by analogy or in broad 
terms, but a numerical scale of proba- 
bilities is unavoidable, at least, by im- 
plication. Some people have difficulty 
In accepting this numerical concept, and 
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I shall return to this subject later when 
the exercise of judgement is discussed. 

4 THE ORGANISATION OF THE ASSESSMENT 

4.1 General Approach 

The design, construction, and opera- 
tion of the vehicle should be displayed 
in such a manner that its potential weak- 
nesses are clearly revealed and It is 
suggested that this should be dealt with 
in the following manner;- 
v a) Consider the Significant Airworthi- 
ness Functions which are required 
of the complex of systems which to- 
gether make up the aircraft. 

(b) Designate the system boundaries 
which allow the best logical separa- 
tion of these functions. 

(c) Designate the Zones, or physical 
boundaries, in which systems, parts 
of systems, and components are 
installed. 

NOTE: The terms 'Significant Air- 
worthiness Function* and 
'Zones * will be discussed in 
more detail later. 

(d) Carry out a system analysis for 
each cf these arbitrarily generated 
groups by piece part count, for ex- 
ample, or any other desirable ap- 
proach, in order to validate the sig- 
nificant airworthiness functions. 

(e) Ensure that the Interfaces are ade- 
quately taken into account. This in- 
cludes interfaces between System, 
between System and the Zones In 
which they are contained, aircrew 
and system Interfaces, etc. 

As stated earlier, the Certification 
Authorities must assist this process of 
logical partition for analytical reasons, 
by stating requirements which take ac- 
count of system dependency in a ra- 
tional manner without unduly restricting 
the design. In addition, it is necessary 
because of the great background of ex- 
perience to retain many features of the 
existing requirements of BCARandFAR 
where their application is practicable 
lor the specific type under considera- 
tion. So the aircraft is subdivided into 


manageable parts on the basis of the 
significant airworthiness functions, and 
the zones or compartments in which 
systems, parts of systems and equip- 
ment are installed. 

There is of course, a considerable 
iteration and feedback in this part of 
the work since many factors are in- 
volved. Significant airworthiness func- 
tions will be influenced by the impact 
of the airworthiness requirements on 
the required operational characteris- 
tics. Zones may be determined not oniy 
t / »-he structure arrangement but also 
by disposition of the systems and equip- 
ment, and the hazards arising from mal- 
function and interaction. These aspects 
will be further discussed. In real cases 
some compromise v/.th factors outside 
Safety aspects may be necessary, in- 
volving, for example, the extent of sub- 
contract work and particular respon- 
sibilities when the project is ‘'eing 
carried out by more than one major 
contractor. It may well be that ability to 
define and deal with the interface prob- 
lems may be a powerful factor in the 
determination of the sub-divisions of 
systems and zones. 

For example, if one considered a 
supersonic aircraft having variable in- 
take geometry it would be difficult to 
disassociate the behaviour of the intake, 
engine and perhaps its variable exhaust 
nozzles. It is clearly desirable to per- 
form safety assessment on a unit which 
includes each of these parts and to en- 
sure that this is carried out by an inte- 
grated propulsion unit team. 

4.2 D iscussion of the Significant Airworthi- 
ness Function 

In the context of this primary activ- 
ity, the Significant Airworthiness Func- 
tion has considerable significance when 
the Safety Assessment is being or- 
ganised. It is important to recognise 
that there are many functions which do 
not have airworthiness significance. 
These could have powerful commercial 
implication in the way of effects on 
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despatch capability, achievement of de- 
sired flight profile, maintenance costs, 
etc., and these functions will also be 
submitted to exhaustive system investi- 
gation which must be separate from the 
analysis required for Safety reasons. 
F >r example if a feature of the aircraft 
to be investigated is a droop nose nec- 
essary to provide the vision required 
for operation in various flight phases, 
we could consider two of its possible 
functions. In one case, the system could 
fail in a mode which prevented the nose 
being raised to the supersonic position. 
The result might be to prohibit flight in 
the supersonic mode and airworthiness 
would only be affected by any contribu- 
tion which might result from a diversion. 

A significant function would be the 
requirement for lowering the nose dur- 
ing the approach, and failure to achieve 
this would result in an increased load 
on the pilot and therefore represent an 
airworthiness hazard. Consequently, the 
system ability to perform this task is 
included in the safety assessment and 
its integrity matched to the importance 
of this hazard (however in passing there 
is also an absolute requirement in the 
case of Concorde that It should be cap- 
able of being landed safely after mal- 
function of the droop nose). 

This discussion emphasises the need 
In all safety assessment work for pre- 
cision in the identification of the func- 
tions which are associated with safety. 
It has already been said that safety 
assessment should provided the best 
display of the weaknesses of a project 
and this requirement will not be satis- 
fied by an approach which endeavours 
to take account of every failure when 
many of these do not affect safety. 

4.3 Integration of the Safety Assessment 

At this point we have discussed the 
requirements and defined the systems 
and zones necessary for their logical 
application. The systems will then be 
analysed on the basis of single failures 
and the zones on the basis of detailed 
checks against installation rules. 


These analyses are now developed 
through the following stages, which are 
pzobably sufficiently self explanatory 
in the context of this paper:- 

(a) The system single failure analysis. 

(b) The system safety assessment. 

(c) The aircraft safety assessment. 

These stages facilitate the grouping 

of piece part failures, the combination 
of these failures as they affect systems, 
and the total effect of these failures and 
the interactions which arise, on the air- 
craft as a whole. In a presentation of 
this sort it is difficult to describe the 
complete procedure with greater depth 
but it is not difficult to see a direct 
parallel with the Failure Mode and Ef- 
fects Analysis combined with Critical- 
ity Analyses which are performed in 
the US industry. 

In a previous paper on the subject of 
safety assessment dealing specifically 
with Concorde (Ref: 1) the way in which 
these middle level assessments are 
combined was discussed. Essentially, 
we have designated a basic system 
element (Figure 1) which has an input 
of system control signals, stimuli from 
other systems, system internal failures 
and, of course, the system output func- 
tions. Within this concept it is endeav- 
oured to have discrete analysis but the 
output of the analysis will be grouped in 
so far as their effects on the whole air- 
craft are concerned. A feature of each 
of these analyses is the use of depend- 
ence diagrams which make very impor- 
tant contributions to the achievement of 
total visualisation of system vulnera- 
bility. 

The problem of display and total 
comprehension of the safety assessment 
introduces us to the question of choice 
between fault tree, logic tree, success 
path, dependence diagram, etc. I have 
had many discussions in the American 
and European Industries where this has 
arisen and it is clear that there are ap- 
plications and objectives which are 
suited to each approach. Bearing in 
mind the need to ensure that every 
section of the design/manufacturing/ 
operating team should have the widest 
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understanding of the safety problem, it 
is suggested that some care should be 
taken over this choice. If the fault tree 
is considered it is thought that some 
variant, such as the logic tree, is very 
suitable as a high level linking dis- 
cipline. It could link, for example, the 
outputs from the discrete system anal- 
ysis referred to above and its use 
should be limited to the integration of 
these effects at the total aircraft level. 
It is suggested therefore that the roots 
of the fault tree should culminate in 
events which are described in depend- 
ence diagrams. 

It is undeniable that pure fault tree 
analyses carried out with a view to 
automation are ideally suited to proj- 
ects where development and operational 
time in a fully assembled mode is 
minimal. The fault tree programme in 
this case has some relationship to the 
flight development programme on air- 
craft but it is thought that from the 
point of view of original safety assess- 
ment on aircraft projects it is ex- 
tremely difficult to highlight the safety 
problem, when a fault tree perhaps of 
many thousand events may be needed to 
go from a part failure to, for example, 
a minimum safe pitch capability over a 
limited Mach range. It is realised that 
statistical analysis will produce domi- 
nant paths, critical modes, etc. but it 
is possible that the complexity of the 
process could swamp the safety effort. 

The dependence diagram is ideally 
suited to the examination of failure 
modes at system level and draws par- 
ticular attention to the need for re- 
dundancy and the weight which must be 
put on the assessment. Attention is 
particularly drawn to systems which 
are unduly sensitive to series effects. 

4.4 The Zonal Analysis 

This is an analysis which is re- 
quired to cover proximity, environ- 
mental and other associated effects 
which together constitute a considerable 
problem in most aerospace applications. 
A zone for the purposes of this paper 


is considered to be a volume or com- 
partment of the aircraft which is struc- 
turally or even arbitrarily bounded and 
in which equipment and systems are 
installed. Convenient means of identi- 
fication could be by the use of the ATA 
100 coding suitably modified according 
to the specific structural requirements 
of the aircraft. 

Zonal analysis could be considered 
to be primarily concerned with problems 
which arise as a function of position 
whereas the system analysis discussed 
elsewhere in this paper is primarily 
directed at failure to achieve Significant 
Airworthiness Functions. 'Primarily' 
is a key word in this context since there 
is an essential overlap and the dual 
approach is important. Zonal analysis 
would therefore be primarily directed 
at problems of containment, jamming, 
fire, leakage, radio interference, etc. 
These are essentially areas which re- 
quire an adherence to design rules in 
respect of environment and segregation 
which can often be enshrined in arbi- 
trary airworthiners requirements, and 
which have been developed with con- 
tinuing experience over the years. 

A systematic approach is required 
when the assessment is being made in 
the context of the rational requirement 
but the task of quantifying segregation 
for example is clearly a difficult one. 
The following method has been proposed 
for the use on current projects. The 
chosen zone must be identified in rela- 
tion to the aircraft and its contents in- 
dicated by drawing or list. Installation 
rules are developed for each zone based 
on general experience, consideration of 
the particular equipment present, and 
its failure modes. The objective is to 
ensure compliance with the installation 
rules with reference to the hazard 
classification of the general require- 
ment. If there is a case where the as- 
sessed hazard probability is not fa- 
vourably matched to its effects then 
this will appear as an output of the 
Zonal Analysis. Apart from the direct 
environmental effect which would re- 
quire local design action this hazard 
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would appear as an input to the safety 
analyses of the functional systems which 
are present in the zone insofar as the 
achievement of the associated Signifi- 
cant Airworthiness Functions are con- 
cerned. 

It is worth repeating the primary 
features of this analysis which are to 
achieve a logical arrangement of the 
zones, clear identification of the con- 
tents of these zones, and the presenta- 
tion of comprehensive installation rules. 
These installation rules must take ac- 
count not only of the best engineering 
practice but also consider the specific 
failure modes and their local effects. 
Finally the zones must be comprehen- 
sively checked against these rules and 
positive conclusions reached. 

5 THE EXERCISE OF JUDGEMENT IN 
SAFETY ASSESSMENT 

Assessed probabilities are the essential 
tools of safety analysis and it is important 
that this statement is fully understood. In 
many cases it is possible to assemble an 
ideal structure of numerical probabilities 
on the basis of component failure rates. 
Particularly this is so in the case of avionics 
which are specially suited to statistical 
analysis on this basis and where substan- 
tiated failure rates for most of the parts 
and techniques involved are available. How- 
ever, when safety assessment is being per- 
formed in this manner utilising component 
failure rates, weighting factors must be 
applied, to take account of particular usage, 
environmental conditions, etc. Therefore, 
even in what could be postulated as an ideal 
application of safety assessment where sub- 
stantiated failure rates under known con- 
ditions are available, it becomes necessary 
to introduce general, if not subjective, ex- 
perience into this numerical analysis when 
the required operating conditions are dif- 
ferent from those under which the reliabil- 
ities were determined. The apparent dero- 
gation of a potentially 'pure 1 numerical 
anai> sis has been emphasised because the 
weighted analysis represents a point on the 
s/.uf between 'numerical approach* on the 
one hand and ’engineering experience* on 


the other. Where the range of systems 
concerned extend from the purely electronic, 
through auto-throttles with, for example, 
sensors and clutch mechanisms, to flying 
controls where linkages, actuators, struc- 
tural parts, etc. should also be included 
then it is obvious that the mixture has 
progressively become less 'pure*. 

The 'pure* approach would be severely 
compromised when the interface between 
electronic parts and mechanical parts oc- 
curs, where one element has been assessed 
by proved reliability techniques and the 
other, such as a linkage or hydraulic com- 
ponent, may have been assessed on engi- 
neering experience associated with a lim- 
ited but fully understood test programme. 
In cases of this sort, the failure of a me- 
chanical locking device and a soldered joint 
in a circuit may have similar results. 

So how should the task be approached? 
It must be emphasised that, as was said 
earlier, we are discussing only the tools of 
the trade; the designers and specialists 
have the desired input and it is the manage- 
ment of this input that is being discussed. 
Where computer techniques are required 
then the skills appropriate to these tech- 
niques must be available but only to ensure 
that the best use is being made of engineer- 
ing judgement or the other relevant skills. 

It is thought that a numerical approach 
is an excellent method of recording the 
exercise of judgement and it is emphasised 
that this should not be unnecessarily in- 
hibited by the limitations of the data. The 
designer makes his numerical assessment 
implicitly by presenting his design and it 
can only do good to display how his thought 
processes have distributed the probabilities. 
The application of experience becomes more 
credible if directed at the component parts 
rather than at the assembly as a whole, and 
the design can be assessed by the extent of 
this dependence on unduly favourable as- 
sumptions. However it must be said that 
even here judgement must be exercised. 

Unimaginative use of the numerical ap- 
proach has tended to bring it into disrepute 
in some quarters and single faults estimated 
at 10“ 6 or less which produce dangerous 
hazards cannot be treated as the corner- 
stones of safety assessment. To avoid this 
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pitfall, rational requirements need to be 
backed by some safeguards stated in ar- 
bitrary form, as In TSS 1-1. 

6 CONCLUSIONS 

It is important to say before concluding, 
that there are major omissions in this 
paper, considered necessary because of 
possible effects on emphasis, within the 
limited time available. For example, safety 
assessments require major inputs from 
consideration of Crew Procedures; flight 
handling is closely linked with system anal- 
ysis and rational requirements have been 
developed to take account of this; also no 
mention has been made of the importance 
attached to the use of the flight simulator 
and the importance of the continuing main- 
tenance effort has only been mentioned in- 
directly. More specifically the analysis of 
digital systems (including their software) 
If employed where sufficient authority exists 
to create serious hazards is also relevant 
to the discussion of the fundamentals of 
Safety Assessment. 

I think these examples suggest the extent 
of the field from which my particular ob- 
servations could have been drawn. However 
I have chosen to bring out some of the es- 
sential features of Safety Assessment in 
more fundamental terms, which could have 
been obscured by these other considerations. 

I have endeavoured to discuss Safety 
Assessment under four headings chosen at 
the beginning of this paper. I have talked 
about the definition of Safety Objectives, 
the organisation and display of the Assess- 
ment, and the exercise of judgement. I find 
that I have not specifically discussed the 
final point which was to show to the satis- 
faction of all concerned that the safety ob- 
jectives have been met, and although it is 
largely Implicit in the other headings, I will 
return to it later. 

I think that the broad conclusion which 
emerges from this discussion is that Safety 
Assessment continues to require a disci- 
plined approach, which, although it cannot 
displace the specialist design functions, is 


necessary as a means of directing these 
efforts at the right problems with a lower 
probability of subjective error. 

In more detail, I have emphasised the 
need to determine and set out safety ob- 
jectives with precision so that the analysis 
is not complicated, with occurrences which 
are not relevant to safety. Also it is im- 
portant that the Safety Assessment can be 
readily understood by all concerned, and 
visual techniques such as the variants of 
the fault tree, dependence diagrams, should 
be used. 

The exercise of judgement should be 
assisted where possible by a reasonable 
use of numerical methods, but these should 
not be allowed to obscure the objectives or 
saturate the Safety Effort. In addition, the 
particular Importance of a methodical anal- 
ysis of Zonal, or environmental problems, 
cannot be over-emphasised. 

To return to the final point in my intro- 
duction which required the assessment to 
show to the satisfaction of all concerned 
that the safety objectives have been met, 
this is of course a problem of data display 
and management. If judgement has been 
applied in the manner discussed so that 
simulator, development flying, and service 
experience can rapidly and effectively up- 
date the assessment, then I believe that we 
are some way along the line towards en- 
suring that the Safety Objectives will be 
achieved in service. 

7 ACKNOWLEDGEMENT 

I would like to express my thanks to the 
Air Regulation Board for permission to 
present this paper and to point out that the 
opinions expressed are entirely my own. 

8 REFERENCE 

1. HAAS, J. (Aerospatiale), 'An Application 
of Modern Maintenance Concepts and 
Safety Analysis to the Multinational Cer- 
tification of a Supersonic Aircraft. 1 Pre- 
sentation to the 6th Annual International 
Maintenance Symposium. 


83 





APPENDIX 

NOTE ON TSS 1-1 AIRWORTHINESS OBJECTIVES AND SYSTEM ANALYSIS 


TSS 1-1 introduces a probability approach 
to the Safety Assessment of aircraft systems, 
together with a framework of defined terms. 
To fit the requirements into a consistent 
framework, a number of terms needed to be 
defined. 

At root there are the things which happen, 
described as Occurrences . These include 
Failures of parts of the aeroplane, Events 
arising from outside the aeroplane (e.g. 
gusts) and Errors arising from the ac- 
tions, or failures to act, of flight or ground 
personnel. 

An Occurrence has various potential 
Effects . These can be classified according to 
the associated level of danger, into Minor, 
Major, Hazardous or Catastrophic. 

The requirements must state the acceptable 
frequency of Occurrences, and according to 
the magnitude of the Effect, various frequen- 
cies can be ascribed - Frequent, Reasonably 
Probable, Remote, Extremely Remote, etc. 
To give technical significance to these words 
some idea of the numerical probability needs 
to be quoted (e.g. Reasonably Probable, of the 
order of 10~ 3 to 1(T 5 ), 


The constructor^ task is then to assess 
the frequency of Occurrences, singly and in 
combinations, and the Effects of these Occur- 
rences. These results are then to be matched 
against the acceptable probability of the va- 
rious levels of Effect. 

One clearly defined difficulty with this ap- 
proach is that of proving compliance with the 
requirements, particularly in cases where a 
failure or combination of failures would re- 
sult in catastrophe. In such cases it is nec- 
essary to impose some additional arbitrary 
criteria in addition to, or instead of the 
numerical criteria (e.g. a double failure may 
only be acceptable as an Extremely Improb- 
able failure when (a) both failures are as- 
sessed to be not more probable than Remote, 
or (b) at least one is assessed to be Extremely 
Remote). 

The requirement then states broadly that 
the Occurrence of failures or errors must not 
produce an accident risk greater than pre- 
scribed levels, and that systems or combina- 
tions of systems operating normally without 
failures or errors must not be able to able to 
prejudice the safe operation of the aircraft. 
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INTRODUCTION 

The X-24A is a manned lifting body flight 
vehicle, engaged in a flight research program 
at Edwards Air Force Base, California. The 
aerodynamic configuration of the X-24A was 
developed by the Martin Marietta Corporation 
over a period of years in connection with in- 
house studies and Air Force contracts. The 
final configuration evolving from these studies 
was identified as the SV-5. The SV-5 con- 
figuration featured medium hypersonic lift to 
drag ratios, good subsonic performance, and a 
high volumetric efficiency. 

Three small scale SV-5D vehicles, identi- 
fied as the PRIME, were fabricated by Martin 
under Air Force contract. They successfully 
demonstrated flight from entry into the earth's 
atmosphere at orbital speeds down to 100,000 
feet altitude at a velocity of Mach 2.0. The 
unmanned PRIME vehicles were approximately 
one fourth the size of the X-24A and weighed 
approximately 800 pounds. Recovery was by 
"air snatch" following deployment of a ballute 
and a parachute. 

DESIGN AND OPERATIONAL CHARACTER- 
ISTICS 

The X-24A is approximately 24 feet long, 
weighs approximately 5500 pounds empty, and 
has an internal tankage capacity for approxi- 
mately 5500 pounds of propellants and gases. 
It is of conventional aluminum alloy construc- 
tion and is powered by the XLR-11 rocket 
engine developed over twenty years ago. The 
main propellants are liquid oxygen and alcohol. 
Hydrogen peroxide is used to power the 
turbopump and helium is used to pressurize the 
tanks and actuate the valves. The vacuum 
thrust of the engine is approximately 8500 
pounds and the maximum burn time at full 
thrust is nominally 140 seconds. 500 pound 
thrust hydrogen peroxide fueled rocket en- 
gines are also provided for use as "landing 
engines". 

Control of the X-24A is by means of 8 
movable aerodynamic surfaces. These sur- 
faces are powered by a duel redundant hy- 
draulic system and respond to either pilot 
commands or the inputs from a triple re- 
dundant stability augmentation system. Vari- 
ous modes of control are possible with the 
X-24A and the development of a "control law" 


has been one of the objectives of the flight 
research program. Generally the upper flaps 
are "biased" to the open position at high speeds 
(minus 40 degrees above 0.60 Mach number, 
for example) and are closed up at low speeds 
and for landing. The pilot has the capability, 
however, to open them up for use as speed 
brakes. Usually, pitch control is accomplished 
by simultaneous deflection of the lower flaps 
while roll control results from differential 
deflection. When the upper flaps are "closed 
up", some of the pitch and roll control func- 
tions are transferred to them at which time 
they act in concert with the lower flaps. 

The upper and lower rudders on each side 
may be moved together in response to "bias" 
signals and are generally toed-in 10 degrees 
for low speeds and toed-out 2 degrees for 
high speeds. The upper rudders on each side 
move together in response to the pilots com- 
mands, inputs from the stability augmentation, 
and in response to commands from a rudder- 
aileron Interconnect system. The rudder- 
aileron interconnect system deflects the 
rudders in proportion to aileron deflection to 
counteract the adverse yaw which results from 
aileron deflection. Aileron action is, of course, 
obtained by differential deflection of the flaps 
as explained above. 

The normal rri6de of operation oftheX-24A 
is to launch the vehicle from a B-52 mother 
ship at approximately 45,000 feet and a Mach 
number of 0.69. Early flights were made in a 
strictly glide mode. Later, the XLR-11 rocket 
engine was started after launch and the X-24A 
was climbed to altitudes in excess of 70,000 
feet and accelerated to velocities in excess of 
Mach 1.60. In all cases, however, the final 
portion of the flight consists of an unpowered 
glide to a conventional airplane type landing 
on the dry lake at Edwards Air Force Base. 

SAFETY CONSIDERATIONS FOR VEHICLE 
DESIGN 

The "one of a kind" research mission of 
the X-24A dictated that great emphasis be 
placed on safety during the design of the X- 24 A. 
Initial criteria were developed on the basis of 
experience with other resear'' flight vehicles 
such as the X-15 and on the - .sis of the pre- 
dicted flight characteristics of the 
X-24A. 
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The inherently hig'.i drag of the lifting body 
configuration together with its relatively low 
lift/drag ratio (typically 2.0 to 4.4), gen- 
erated considerable concern with respect to 
the pilot’s ability to perform safe landings 
from gliding flight. Accordingly, the "landing 
engines" were incorporated into the design to 
provide an increase in the apparent lift/drag 
ratio during flare and landing. Experience with 
the X-24A has since shown that this concern 
was not warranted. The landing rockets were 
used on the first three flights, but have not 
been used on the following twenty-two flights. 

In the early stages of design, all systems 
were reviewed for critical areas. A failure 
mode and effects analysis was performed. 
Redundancy and other techniques were used to 
insure safe operation to touchdown and roll 
out after one or more component failures 
occurred. 

Start failure of the XLR-11 engine would 
require immediate jettisoning of the main 
propellant. Therefore, a bypass system was 
designed which would route helium directly 
from the storage tank to the main propellant 
tanks. An Interlock with the jettison valves 
prevented opening of the bypass system unless 
the jettison valves were open. Thus, a failure 
of the normal pressure regulating system in 
the closed mode would not preclude jettisoning 
of the main propellants. 

The hydrogen peroxide tank la pressurized 
with helium to 475 psia. The helium Is stored 
at 4200 psla and routed through a pressure 
regulator to achieve the desired pressure drop. 
An open failure of the regulator would over 
pressurize the peroxide tank and cause a 
catastrophic failure. This single point failure 
was eliminated by incorporation of a dual 
redundant relief valve in the peroxide tank. 
Depletion of the helium source through the 
vent Is prevented by installation of a normally 
open solenoid valve in series with the regu- 
lator. This valve is controlled by a pressure 
switch, set to a higher pressure than the 
regulator pressure, but a lower value than the 
settings on the peroxide tank relief valves. A 
cockpit switch allows the pilot to close this 
valve manually If his pressure indications 
should show a trend to over pressure, or to 
de-energize the valve If a pressure switch 
malfunction should cause it to close unneces- 
sarily. 


Redundancy techniques were used in the 
flight control system to eliminate single point 
catastrophic failure modes. Two independent 
hydraulic systems are used. Each system is 
powered by two electric motor driven hydraulic 
pumps, and each pair of pumps is powered by 
its own independent battery. In the event of a 
failure of either of the batteries powering the 
hydraulic pumps, power is switched to the 
flight test instrumentation battery, thus pro- 
viding an additional backup for this mode. 
The stability augmentation system was made 
triple redundant to insure that it would always 
be available to provide its augmentation func- 
tion, but could not command a "hard-over" or 
other erroneous control signal. Each axis of 
the system has three parallel rate gyros, as- 
sociated electronics, and a logic circuit which 
insures that a malfunction in one of the three 
parallel channels will not cause a hardover 
or disable the system. 

The X-24A flight control system consists 
of a relatively complex mechanical linkage 
which accomplishes the required mixing and 
crossover functions in order to transfer the 
command signals from the pilot and the 
stability augmentation system to the flaps and 
rudders. 

In order to thoroughly evaluate the opera- 
tion of the flight control system under normal 
and malfunction conditions and to accomplish 
the necessary development work in an orderly 
and expeditious manner, the entire system 
was assembled on a structural steel mockup 
for fixed-base closed loop simulation. All 
attachment points to the basic X-24A structure 
were duplicated by the structural steel frame 
work. The hydraulic power actuators moved 
dummy control surfaces which were 
loaded in a manner to simulate airloads. This 
was accomplished with air cylinders pres- 
surized from a regulated source of com- 
pressed gas. Control surfaces position was 
measured with potentiometers and the elec- 
trical signal was fed Into an analog computer. 
A complete set of pilot flight controls was 
provided and the position of these controls was 
also fed into the computer. The motions of 
the X-24A which would have resulted from 
the various control positions was calculated 
by the computer and displayed on the pilot's 
flight instruments (attitude indicator, Mach- 
meter, altimeter, etc) and also recorded 
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on strip charts for engineering anal- 
ysis. 

Experienced pilots "flew" numerous mis- 
sions in both normal and malfunction modes. 
These tests provided functional verification of 
overall system operation and permitted an 
assessment of the pilot's ability to use the 
manual backup controls to correct system 
malfunctions. A typical example would be a 
failure in the automatic flap bias system 
tending to drive the upper flaps to an extreme 
position. The pilot was able to switch to the 
manual mode and "beep" the flap to the de- 
sired position before the development of a 
serious situation. 

After delivery of the X-24A to the govern- 
ment, gull scale wind tunnel tests were run in 
the large low speed tunnel at the Ames Re- 
search Center. Additional small scale tests 
were run, and this data together with the 
measured characteristics of the actual X-24A 
flight control system were used to develop an 
accurate simulation program. This simulation 
did not include the actual flight control sys- 
tems hardware as in the flight controls test 
stand described above. Instead the measured 
characteristics of the flight control system 
were programmed into the computer. This 
simulator provided an accurate duplication of 
the cockpit controls and displays and the 
computer output drove both the pilot's displays 
and an X-Y plotter similar to the one used to 
control actual flights. 

OPERATIONAL SAFETY 

Flight planning for the X-24A starts with a 
review of all available data from preceding 
flights and a comparison of this data with wind 
tunnel results. A configuration (control 
settings, gains, etc) is established for the 
flight together with a set of flight objectives. 
In general, the flight objectives are to obtain 
specific data under certain flight conditions 
(Mach number, angle of attack, etc). Flight 
planning for a vehicle such as the X-24A must 
consider many factors in attempting to ac- 
complish the desired flight objectives. Energy 
must be programmed to insure that the pri- 
mary landing site will be reached with suffi- 
cient speed and altitude to insure a safe landing, 
but provisions must also be made ; or abnormal 
situations such as an early engine shutdown. 


The simulator is used as a tool for planning 
the nominal trajectory as well as all malfunc- 
tion situations. In addition, it is used as a 
means of evaluating changes to the flight 
control system or other ships systems relative 
to their effect on stability and control and 
performance. 

Once a satisfactory flight plan has been 
developed, the simulator is used for crew 
training. The general procedure used in the 
lifting body flight test program has been to 
have at least two pilots specifically assigned 
to one of the flight vehicles and at least three 
pilots active in the program. One of the X-24A 
pilots is assigned to fly the mission and the 
other pilot is assigned as the controller 
(NASA One). Usually, the third pilot, although 
not specifically assigned to the X-24A, will 
fly chase. The flight planner, the controller 
(NASA One), and the mission pilot use the 
simulator to train for the mission as a team. 

As a further training aid, F-104 aircraft 
are used as airborne simulators for the ap- 
proach and landing phases of the mission. 
Aerodynamic data for the X-24A and for the 
F-104 are utilized to establish an F-104 con- 
figuration which will give it lift/drag ratios 
comparable to that anticipated for the X-24A 
in the upcoming mission. Typically, the F-104 
is flown with gear and flaps down, speed 
brakes extended, and engine at minimal power 
settings to duplicate the low lift/drag ratio of 
the lifting body . Practice approaches are flown 
for the normal mission and for all of the 
malfunction cases. On the morning before the 
flight, a final set of practice approaches are 
flown, usually with the chase pilot ac- 
companying. Thus, when the mission pilot 
embarks on the actual X-24A mission, all 
normal and emergency aspects of the mission 
have been experienced and he is thoroughly 
prepared for any foreseeable situation which 
might develop. 

A further safety procedure followed in the 
development of an X-24A mission involves 
preparation of the formal written flight plan, 
and the technical and crew briefings. The 
flight plan spells out in detail all aspects of 
the flight. Each event in the flight is detailed 
in terms of Mach number, altitude, angle of 
attack, elapsed time, and maneuver to be ac- 
complished. A set of ground rules for "no 
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launch" and a set of alternate situations after 
launch are defined in detail. 

Several days before the scheduled day, a 
technical briefing is held. This briefing is 
attended by all cognizant personnel from both 
NASA Flight Research Center and the Air 
Force Flight Test Center. Data from the 
preceding flight are reviewed and the technical 
aspects of the upcoming flight are discussed 
in detail. Finally, the written flight plan is 
reviewed. Ail questions raised at this briefing 
are answered satisfactorily as a prerequisite 
of the flight. 

The crew briefing is accomplished during 
the afternoon preceding the scheduled flight 
day. This briefing is attended by all personnel 
who will participate in the actual accomplish- 
ment of the flight. All operational aspects are 
reviewed and the personnel assigned to ac- 
complish specific tasks are identified. Any 
special operating procedures are discussed 
and the chase pilots, B-52 mother ship pilots, 
airborne photographers, and mission pilot 
coordinate their activities at this time. 

Servicing of the X-24A begins approxi- 
mately two hours prior to pilot entry into the 
cockpit. A complete controls system check is 
accomplished during this time period. "Throw- 
boards" are attached to the X-24A to measure 
control surface deflections. An observer is 
stationed in a position to make the desired 
readings. The crew chief operates the controls 
in the X-24A cockpit and a controls engineer 
directs the test from the control room. The 
X-24A telemetry system Is operative and 
driving the strip recorders which display 
control positions in the control room. All 
personnel participating in the test are in 
radio and/or telephone communication. The 
test verifies that the control surfaces are in 
fact properly responding to the pilots cockpit 
control motions and that the control room re- 
corders are displaying the actual positions of 
the control surfaces. This check also verifies 
proper operation of the stability augmentation 
system and the automatic bias system. 

Approximately 30 minutes prior to pilot 
cockpit entry, the pilot is prepared for flight. 
A special van located near the X-24A is 
utilized to instrument the pilot and fit him into 
his full pressure suit. Since powered flights 
of the X-24A are normally made to altitudes 


in excess of 50,000 feet, the pilot wears a 
full pressure suit as a backup in the event of 
cabin pressurization failure. In order to obtain 
biomedical data, the pilot is instrumented with 
special sensors, the output of which are re- 
corded on a small tape recorder. A flight 
surgeon is present during all preparation of 
the pilot for flight to provide medical aid in 
the event of an accident, and to observe the 
pilot for any signs of distress. This procedure 
was Instituted when a lifting body pilot suf- 
fered severe dehydration due to the high 
ambient temperatures (Edwards Air Force 
Base in the summer) encountered during a 
hold which occurred after cockpit entry. 

After pilot entry into the cockpit, the X- 24 A 
crew chief and the chief inspector go over the 
"pilot entry checklist" with the pilot to verify 
the position of all cockpit controls and the 
reading of the appropriate displays. The entire 
captive portion of the flight is also conducted 
in accordance with a carefully prepared check- 
list i.e. countdown. 

Timing of the checklist during captive flight 
is a function of B-52 position and is arranged 
so that completion of the checklist occurs just 
as the B-52 approaches the launch point. During 
the captive portion of the flight, another com- 
plete controls system check is accomplished. 
This check verifies proper operation of the 
system in the actual flight environment. In 
addition, pitch and yaw pulses of the B-52 
permit an operational check of the stability 
augmentation system. Air for cabin pres- 
surization, breathing oxygen, and electric 
power for the X-24A are provided from the 
B-52 until approximately five minutes before 
launch. At that time a switchover is made to 
internal systems and a check is made to de- 
termine that operation is satisfactory. 

Upon reaching the launch point, the pilot 
launches himself and proceeds with the flight 
according to plan. The flight is monitored 
from the ground and all communications with 
the pilot are filtered through the controller 
(NASA One). The pilot is advised of any mal- 
function or abnormality and provided with 
recommended corrective action. His trajectory 
is monitored from the radar driven X-Y plot 
and heading and climb angle corrections are 
provided as required. During the approach, the 
chase pilot flies in close proximity to the 
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X-24A and provides airspeed, altitude, and 
turbulence i .lormation. In addition, the chase 
pilot verifies satisfactory extension of the 
landing gear and advises the pilot of his height 
above the runway during the last 100 feet of 
descent. Normally, the chase aircraft touches 
down in formation with the X-24A. The entire 
operation is one in which teamwork and 
thorough training play a very important part. 
By means of these procedures, flight testing 
of advanced, radically configured experimental 
flight vehicles is conducted in a very safe 
manner on an almost routine basis. 


CONCLUSION 

The lifting body flight test program has 
been conducted on an extremely austere basis. 
The entire cost to the government of the X-24A 
program, including vehicle acquisition, has 
been less than the cost of ma... paper studies. 
Yet, there has been no compromise with 
safety. Safe operation of such a radical flight 
vehicle has required careful attention to safety 
considerations from the beginning of the design 
process, and with continued emphasis right 
through the flight program. 


92 



SESSION n 


QUESTIONS AND ANSWERS 


QUESTION: John, where do we go from 

hers in manned lifting bodies? Is the space 
shuttle next or is there something in between? 

MR. COCHRANE: The present plan is to 
modify the X-24A to a new configuration known 
as the X-243 which has higher hypersonic 
performance. It will be a sort of long skinny 
vehicle instead of a short fat one but it is the 
same basic core. We will actually add the 
structure to this vehicle and retain the systems, 
that is anticipated to be done sometime late 
this year. Then, a lot of us at NASA are hoping 
that we will have a similar type vehicle to 
represent one of the space shuttle orbiters or 
boosters perhaps. I think the booster is the 
one that they are thinking of presently. 

QUESTION: What is the thrust in the "B"? 

MR. COCHRANE: It will be the same 
thrust. The engine will be the same and the 
engine does develop 8500 lbs. of vacuum thrust. 

COMMENT: You mean the engine ip still 
good, we are going to use it many more years, 
right John? 

MR. COCHRANE: Yes sir, I might com- 
ment that the present thinking is to use two of 
them. This would give us eight chambers in 
the drop vehicles, that is the shuttle vehicle — 
space scale shuttle, and I shutter to think of 
getting eight of them going. Yesterday we sure 
had a lot of trouble getting four going. 

QUESTION: Did you use any techniques of 
system safety discipline on the X-24A or did 
you just design in good safety features. 

MR. COCHRANE: I would say yes, but I 
have to qualify it. I deliberately did not get 
into a discussion of it because I didn't have 
time. I think what it was, the technical director 
on our program had been a reliability engineer 
previously and the techniques were not the 
formal techniques that have been discussed 
here earlier, that is with charts and pro- 
cedures, etc., but it was a case of, I think in- 


dividual responsibility, people who had worked 
in the area and who were very aware of it. I 
don't know if that answers your questions. 

MR. GORDON SMITH/ A.F. SYSTEMS COM- 
MAND: Mr. Hammer — Willie, I know you 
made a number of comments about changes 
that are needed in MIL-STD-882. I was won- 
dering whether you have already submitted 
these officially for consideration or whether 
you are going to submit them? 

MR. HAMMER: No I haven’t submitted 

them officially at all. As a matter of fact, it 
was only Thursday or Friday that I heard the 
Air Force was actually thinking of revising 
MIL-STD-882. Lets say I presented a few 
comments, I even have a few that I did not 
put up here because I didn't think that they 
were that important. If you want Gordon, I can 
just get you a copy and hand them to you. 

MR. SMITH: The best thing Willie is to 
submit them on that form that is in the back 
of the MIL-STD. When we went through the 
last exercise we got recommended changes 
on wrapping paper and everything else and we 
hud one heck of a time. We are hoping in this 
current revision of 882 to stick to the format 
of the form that is in the back of each copy of 
the MIL-STD, then we have them in apple-pie 
order and we can give them due consideration. 
There is one other advantage of using that 
form, with the high postage rates, the way 
they are, we pay the postage on that form. 

QUESTION: Mr. Hammer you made a 

couple of statements on MIL-STD-882. One 
that you would prefer not to see a categoriza- 
tion. As a nuclear system analyst, I'd like to 
know, when we do analysis what could we use 
to categorize? 

MR. HAMMER: Why do we need cate- 

gorization. This is what I want to point out, 
that if the procuring activity or the agency 
that is Interested in getting a system de- 
veloped actually indicates where the investi- 
gations, which way the safety activities should 
go, you really don't need these safety 
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categories. Actually, the old idea about the 
categories was the fact that if they said, well 
if you have a Category IV then you know it is 
more important than Category III, II, or I. 
This was the benefit of the four categories. 
As I say, I think that we have advanced so far 
now that we really don't need the categories, 
that whoever is responsible for obtaining a 
new system could actually stipulate the various 
problems that they want investigated. In some 
of the work that I have done with various 
organization, I found it is a great deal of 
trouble trying to decide which of the categories 
these things go into. For example, lets point 
out this deal about injuries. You have two 
categories for injury. Category III and Cate- 
gory IV and it is quite a problem trying to 
determine, if the person who is going to over 
here going to be subjected to a Category III 
hazard or is he liable to be killed and be in a 
Category IV hazard. So as I say then, other 
things are these delineations between the 
categories. For example. Category IV talks 
about system loss; Category III talks about 
the fact that you might lose the system unless 
immediate corrective action is taken. Which 
means that you have a potential for system loss 
in the Category II! hazard, so which do you 
put it under. Category III and IV. The other 
point is that we sometimes get the question do 
you put somethings in Category I, II, III or IV 
depending on something like the probabilities 
that Mr. Allison had. Whether it is highly 
improbable, very low probability of hazard, or 
do you take anything of any probability and put 
it in a category and just leave it there? 

VOICE: I understand your point but the 

other one I think we are all interested in, is 
why is it 180° out of phase with the reliability 
category. 

MR. HAMMER; I hate to say this but I 
believe that when 38.30 was developed the 
military specification at that time had four 
reliability categories. I think they figured if 
reliability had categories, safety ought to have 
categories and just to differentiate the two they 
ran them in opposite directions. 

VOICE: Since the speaker asked a question 
why categories, I guess some of the audience 
can answer the question. I think the categories 
were just a stepping stone to management 
action. For instance in configuration manage- 


ment you'll have a Level I review board. Level 
II Board, Level III - and when you assign a 
design change it establishes the level which 
review and decision can be made. I think 
there was an implication that Category IV 
would have to be reviewed as a high level of 
management; Category III as a low level of man- 
agement, etc. Unless the management system 
goes on and says that unless the management 
system identifies some correlation between the 
responsibility and authorityfor disposing of the 
hazard, then the Category itself is meaningless. 

MR. HAMMER; Categories have this one 
basic advantage, the fact that supposedly you 
look at the Category IV and you say, we want 
to pay more attention to that, but we get in- 
volved with another problem in determining 
the categories. For example, taking a missile 
that we are trying to establish categories on. 

Say this is an air launch missile. We know 
that if the electrical system fails on a missile 
that has ocen launched that you have system 
loss. System loss is Category IV. Now, you 
can have an electrical system failure for a 
number of reasons. One of the reasons is that 
you lose the battery which means that if the 
battery fails then you have a Category IV 
hazard. As you go down you begin to analyze 
what could cause the problems within the 
batteries and you can have sixteen different 
items such as touching plates, a poor connec- 
tion, poor soddering, each one of these things. 
Does that mean that poor soddering within the 
battery is a Category IV hazard because you 
are ultimately going to lose the system. Now 
you have to have a Philadelphia lawyer to 
begin to figure out where do you stop cate- 
gorizing these things as Category IV or 
Category III. This is not well-defined in 
MIL-STD 882. 

QUESTION: Again for Mr. Hammer, the 

point of categorization. The categorizing sys- 
tem sure is simply a means of shorthand, I 
agree that it has serious problems. Perhaps 
it needs expansion rather than eradication. 
For example one serious injury or a thousand 
deaths would both be a Category IV hazard 
when you can hardly compare the two in any 
system safety program. That is simply an 
aside. My question really is that MIL-STD- 882 
says in about 5900 words exactly what 38- 130A 
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said in 2500 words. Is it your opinion that 
882 is a step forward? a step backward? 
or a step sideways in comparison to 
38-* 130? 

MR. HAMMER: I think the chief advantage 
in MIL-STD-882 was in the delineation of the 
tasks and the various phases. Here again, I 
think certain of these items should be im- 
proved. For example this deal about the sys- 
tem safety program plan, both in 38-139 and 
MIL-STD-882. In the conceptual phase they 
have no requirement for the system safety 
program plan. The system safety program plan 
actually comes into being in the Phase A 
definition. I know that lately they started 
changing the various phases, but it comes into 
the Phase A definition and it is actually pre- 
pared at that time for use during the Phase B 
and for the engineering phase which means 
that the system safety program plan according 
to 882 is not prepared for use during the 
current work being done on a system. In ac- 
tuality most of the procuring activities re- 
quire that a system program plan be prepared 
and that is actually used during the current 
phase but it isn’t what this says in 
MIL-STD-882. As I say the big advantage, to 
answer your question of 882 over 38-130 was 
the delineation of the safety tasks. 

MR. RUSSELL (GE): I have been spending 
about the last two years working with a 
chemical and petroleum industry and applying 
some of these techniques and I would just like 
to pass on for the benefit of this conference 
that they continually remind me that a lot of 
industries are not like NASA and aerospace 
in terms of dollar resources. Unless I can 
show them a series of category definitions by 
which they can decide who can work on these 
problems and how many dollars that the line 
manager, as Mr. Pope so adequately pointed 
out, can be allowed to address this problem 


with, they are not very much interested in 
using NASA and Aerospace techniques in their 
current dilemma with the environment. 

MR. HAMMER; I point out the fact that 
one of the biggest problems we actually have 
in management is trying to understand some 
of this differentiation between reliability and 
system safety. I have seen statements of work 
that say "failure mode analysis will be con- 
ducted." Now safety goes beyond that. 

It is not only failures, you have the en- 
vironment effect, you have personnel errors, 
you have a lot of other things that actually 
the reliability people did not consider and so 
in writing the statement of work, where it is 
the statement of work again it is necessary 
that they be clear in making sure this is a 
safety effort and not a part of a reliability 
effort. I might say that June 10th, Machine 
Design is going to have another article and it is 
going to be on reliability versus safety as 
related to liability. In this we point out the 
fact that indicating in warranties that an ex- 
press warranty, where you say a thing will 
last a certain length of time, 50,000 miles or 
5 years, is actually a warranty that relates to 
reliability. The implied warranty that a product 
must be safe if it has no time limit actually 
on the thing is really the system safety aspect 
of a liability suit. In addition to that I try to 
point out, the article was cut down, was the 
fact that if you have an accident and a liability 
suit arises, it doesn’t matter what the test 
reliability or the operational reliability or the 
design reliability was, you can be sued for 
negligence in design and a lot of other things 
unless you have taken suitable safety action. 
There is a great difference between the re- 
liability and the system safety but frequently, 
as I stated before, the expressions in the 
statement of work do not reflect. We then have 
trouble with management in trying to indicate 
that there is a difference. 
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When I was a boy, our daily newspaper 
regularly carried a cartoon with the caption, 
"Heroes are born — not made ." Those of us in 
the field of system safety today have arrived 
there from an amazingly diverse set of back- 
grounds* As so-called "charter members" of 
this discipline, we could be considered the 
"heroes" of system safety. Many of these 
heroes are convinced that they know all there 
is to know about the subject. In fact, some 
may feel that they invented system safety.* 

To those not quite so self-assured or those 
yet possessing some humility regarding their 
mastery of the subject, this session on Sys- 
tem Safety is dedicated. We believe that 
education of a formal variety is not only a 
nice idea but a vital necessity if system safety 
is to become and remain a truly professional 
activity. 

So if you were not born a hero of system 
safety, we propose that you can be made a 
hero — even at this late date — through educa- 
tion. 

Every great idea is said to have its own 
time of arrival on the scene of history. 
Breakthroughs in medicine, aeronautics, eco- 
nomics and other fields are often achieved 
simultaneously in widely-separated areas of 
the world without collaboration. A current 
example of this precept is the marked simi- 
larity in appearance, size, and performance 
between the Soviet Union*s TU-144 and the 
Anglo-French "Concorde" SST. 

The speakers in this session will illustrate 
the thesis that "system safety's time has now 
arrived." To further reinforce this thesis, 
you will note that the subjects discussed in 
this session all have a different root or 
source for system safety education, and the 
educational institutions represented are sep- 
arated by at least 1000 miles.' 


The first paper discusses system safety 
education as it emanated from a world- 
renowned base of aviation safety at the Uni- 
versity of Southern California, The Institute 
of Aerospace Safety, which dates to 1952, 
provided a unique foundation for system safety 
education. 

The second paper depicts system safety 
education spontaneously arising in the In- 
dustrial Engineering Department at Texas 
A&M University where similar courses in 
maintainability engineering and production de- 
sign engineering had been also offered for 
several years. 

The third and final paper provides yet 
another phylogenesis for system safety edu- 
cation — the field of system management. The 
George Washington University School of En- 
gineering and Applied Science conceived their 
system safety course as a natural outgrowth 
of the systems approach to management. 

We had intended to have a fourth university 
represented on the program today — the Uni- 
versity of Washington. To that end, I had re- 
quested that Professor Berl W. Owens, UW's 
System Safety Course Coordinator, prepare a 
paper entitled, "System Safety Education Fo- 
cused on Quantitative Techniques. "His course, 
dating from 1965, is well-known for its 
specialization on Fault Tree Analysis and has 
been attended by perhaps more personnel than 
any of the three courses being discussed in 
this session today. In a letter dated 9 March 
1971, Professor Owens wrote to me: 

", . . Thank you very much for the oppor- 
tunity to present a short paper and present 
it before the Government-Industry System 
Safety Conference on 26-28 May 1971. It is 
indeed a top level conference and I am sorry 
I must decline. I am in poor health at the 
moment and cannot get away from home. . ." 
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I am grieved to report to this Conference 
that approximately two weeks ago. Professor 
Owens passed away in Seattle. In his honor, I 
request that we stand for a moment of silence. 
(The Conference thereby honored Professor 
Owen's memory.) 

The contrast between origins for system 
safety education is most interesting. Because 
this session is designed to reinforce the 
Conference theme— "to broaden the applica- 


tion of system safety into many areas outside 
aerospace," consider the breadth of education 
to be discussed today: 

1. All three courses discussed are of 
different length or duration. 

2. Some of the courses are offered for 
college credit, others are not. 

3. The courses are offered on the East 
Coast, West Coast, and the Great South- 
west. 
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INTRODUCTION 

General John D. Ryan, Chief of Staff , United 
States Air Force, in his keynote address at 
the 1969 Air Force Industry System Safety 
Conference, made a significant statement con- 
cerning System Safety. General Ryan stated, 
"We have encouragement by our competence in 
the engineering disciplines, but. . .many of 
our deficiencies in safety can be traced to a 
prevalent flaw, not in the area of competence, 
but in attitude." The problem identified by 
General Ryan is of particular significance in 
the field of System Safety. Many of our de- 
ficiencies in system design could be eliminated 
with proper attention and early attention to 
the "demands" of safety. However, the "de- 
mands" of safety in many cases are not 
adequately considered as a result of a nega- 
tive safety attitude held by non-safety per- 
sonnel in decision-making positions. This 
basic attitude toward safety results in the 
feeling that safety in general and safety pro- 
grams in particular will inhibit or restrict or 
otherwise limit operations. The resultant at- 
mosphere finds the system safety engineer 
in a defensive position attempting to convince 
personnel who, in the first place, are probably 
not technically qualified, and secondly, do not 
understand the system safety concept; in short, 
ultimately making the "hard sell" to a person 
who is not buying. Objectivity dictates that 
these management and non-safety personnel 
are normally influenced by the pressure of 
schedule constraints, budget limitations, and 
performance-oriented design groups. The 
realization that these personnel are also in- 
fluenced by a sometimes unconscious bias or 
negative attitude in reference to the general 
subject of safety, let alone the lesser under- 
stood discipline of System Safety, should serve 
as a cause for great concern among safety 
educators. For as we ponder this situation 
and begin to evaluate proposed solutions to the 
problem, which incidentally is no unique prob- 
lem and does not have a unique solution, the 
answer continues to come up SYSTEM SAFETY 
EDUCATION . We must educate until manage- 
ment and non-safety personnel recognize where 
and how utilization of die system safety process 
can best serve their needs. 


The faculty and staff of the Institute of 
Aerospace Safety and Management, University 
of Southern California, are dedicated to the 
proposition that basic safety education is of 
fundamental importance to the success of 
accident prevention programs. The Institute, 
presently in its nineteenth year of operation, 
consists of two divisions and a Research 
Center. The Safety Division, founded in 1952, 
offers a variety of safety education programs 
designed as short courses which vary from 
one to twelve weeks in length. More than 
9,000 students have attended Safety Division 
safety courses including personnel from the 
aerospace industry, commercial aviation, gen- 
eral aviation, the United States Armed Forces, 
and students from foreign countries. Notable 
alumni include astronauts Alan Bean, James 
Lovell, Jr., and Walter Schirra and the 1969 
Harmon Trophy winner Major Jerry Gentry. 
The Graduate Division, founded in 1963, offers 
a graduate degree program, Master of Science 
in Systems Management. Operating from 26 
graduate study centers located around the 
world, more than 1,775 master's degrees 
have been conferred. The recently established 
Research Center concentrates on research and 
development in flight safety, highway safety, 
transportation systems, and human factors. 

SYSTEM SAFETY EDUCATION 

The Institute of Aerospace Safety and 
Management has developed and conducted many 
different types of safety courses. In fact 
during the last fiscal year, 45 separate courses 
representing different programs were pre- 
sented. These courses include Aerospace En- 
gineering, Missile Propulsion Systems, Air- 
craft Accident Investigation and Prevention, 
Communicative Skills In Safety Education, 
Aviation Psychology, Aerospace Physiology, 
Aerospace Safety Management, etc. Although 
the major emphasis in all of the courses is 
safety, four of the courses deserve special 
attention in this paper due to their relevance 
to the subjects of Flight Safety and System 
Safety. These courses are: 

I. Flying Safety Officer Course 

II, Advanced Safety Program Management 
Course 
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III. Fundamentals of System Safety 

IV. Quantitative Methods of Safety Analysis 


I. The Flying Safety Officer (FSO) Course is 
presented to rated pilots of the United States 
Air I rce and Air National Guard who are as- 
signed to Flight Safety or Safety Staff Officer 
duties. The initial FSO course began 16 March 
1953 and since that time 90 courses involving 
some 2,300 students have been completed. The 
FSO course is designed to develop in the student 
an understanding of the principles of accident 
prevention and how to incorporate these prin- 
ciples in an accident prevention program, an 
understanding of current flight safety educa- 
tional methods in the Air Force, the ability 
to recognize hazards involving human per- 
formance, equipment performance, physical 
environment, and the interrelationship of these 
hazards, knowledge and skill in the supervision 
of aircraft accident investigation, an under- 
standing of accepted principles of learning 
and the ability to apply them to instructional 
situations, etc. No specific reference to the 
subject of System Safety has been made; in 
fact, only recently have system safety en- 
gineering techniques and a general discussion 
of the System Safety concept been formally 
introduced into the FSO course curriculum. 
Rather the FSO course has been singled out 
here because of its fundamental importance 
and great tradition in safety education at the 
University of Southern California. System 
safety education at USC has its very roots in 
flight safety. Flying safety is concerned with 
the recognition, prevention, and elim- 
ination of all hazards to flight and the 
flying safety officer's job is primarily educa- 
tional. He mu3t assure that hazards are known 
and understood with an awareness of required 
corrective actions. Comparable course are 
also presented to U.S. Air Force Missile 
Safety Officers and U.S. Army Aviation Safety 
Officers. 

II. The Advanced Safety Program Manage- 
ment (ASPM) Course provides specialized 
safety education for officers of the U.S. Air 
Force and civilians, GS-11 or higher, in order 
to assist in their further qualification as 
Safety Staff Officers. The initial ASPM Course 
began in November, 1964, and since that time 


20 courses involving more than 500 students 
have been completed. The ASPM course is 
designed to develop in the student an under- 
standing of the principles of management and 
the relationship of these principles to the 
management of effective safety programs, the 
basic principles of safety required for the 
development of a philosophy of safety, the 
collection, preparation and analysis of source 
accident data, the basic principles of motor 
vehicle safety, and an understanding of com- 
munications and industrial relations in safety 
management. The instructional material on 
the collection and analysis of accident data 
has recently been expanded to include not only 
the traditional methods of post-accident data 
analysis but also what has been termed pre- 
accident investigation. The instructional sec- 
tion begins with the graphical presentation of 
accident data, the derivation of accident rates, 
basic probability theory, statistical safety 
measures, confidence and risk, and the utili- 
zation of accident data in safety decision- 
making. System safety education has thus been 
introduced as a fundamental approach to acci- 
dent prevention which is more effective, en- 
sures greater leverage in design analysis and 
decision-making, and also affords the most 
economical approach to preventing accidents. 
Graduates of the ASPM course, who receive 
seven units of graduate credit, usually have a 
basic understanding of and practical experi- 
ence in flight safety. Inclusion of system 
safety education in it i curriculum has allowed 
these students' basic understanding and 
philosophy of safety to evolve and expand 
toward more of a total safety concept, in- 
cluding system safety and operational safety 
as an integrated approach to accident preven- 
tion. 

III. 1 The course. Fundamentals of System 
Safety, presents a curriculum of system safety 
education in its truest sense. The initial Sys- 
tem' Safety course began in October, 1963, 
and since that time 18 courses involving over 
400 students have been completed. Prerequi- 
site for this course is a bachelor's degree, 
preferably in an engineering or technical field, 
or three years of safety, system engineering, 
or maintenance experience. Three units of 
graduate level credit are given for satisfactory 
completion of the three week course. 
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System Safety as a fundamental approach 
to accident prevention has been and is con- 
tinuing to be a rapidly expanding field which 
requires the best managerial and technical 
talents available. System safety educational 
programs have consequently been required to 
remain flexible in meeting the challenges of 
this expanding new discipline of System Safety. 
At the University of Southern California minor 
System Safety Course modifications have been 
made with almost every class. In fact, several 
major curriculum changes have been required 
during the past five years. It is believed that 
the experience gained through such a course 
evolution will prove critically important to 
the future success of system safety education 
at U.S.C. 

The primary mission of the present System 
Safety Course is to develop within the student 
a basic understanding of the total system 
safety concept. The course is designed to 
address both the management and the engi- 
neering aspects of System Safety. The pres- 
entation of management and engineering ma- 
terial in a proper balance is both delicate and 
critical. Further, while the term System 
Safety properly defines a program to cover 
the entire life cycle cf a system, the primary 
interest should be directed to the concept, 
definition, and development or so-called "de- 
sign” phase of the system's life. System 
Safety will thus complement the established 
traditional safety efforts during the opera- 
tional phases of a system. A system safety 
educational program should, therefore, be 
directed primarily to the earlier design phases 
of system life, devoting enough attention to 
the later operational phases to allow the 
student to understand the total scope of the 
system safety effort. The system safety en- 
gineering methods which may be applied during 
the design phase to evaluate the relative 
safety of proposed system designs are not 
only more technical and penetrating, but more 
quantitative also. The system safety en- 
gineering portion of the course should pre- 
pare the student to both perform and evaluate 
the vital safety analytical function; namely, 
the identification and control of system 
hazards. The system safety management por- 
tion of the course should familiarize the 
student with the planning, organizing, directing, 
and controlling aspects of management. 


During the development and presentation 
of the instructional material of the course, 
the U.S.C. faculty have reviewed current in- 
dustry and government system safety tech- 
nology, adapted basic principles and specific 
methodology to individual aerospace applica- 
tions, and genuinely pursued a course which 
is more than another theoretical discourse. 
Selected guest lecturers from industry enrich 
course content with "real world" experience. 
An extremely effective class group project, 
recently instituted, has proven successful in 
preparing the students for necessary System 
Safety program planning, organizing, job de- 
scriptions, and costing. A unique and beneficial 
aspect of the class group project is the coordi- 
nation required of military and civilian students 
as team members. Working together on a team 
a common goal promotes a better understand- 
ing of the problems that each must face re- 
spectively. 

A similar course is presented to Depart- 
ment of the Navy safety personnel in the 
Washington, D.C. area, except that separate 
system safety management and system safety 
engineering courses are presented, each two 
weeks in length. 

IV. The course. Quantitative Methods of 
Safety Analysis, is a recent addition to the 
graduate courses presented by the Institute 
Safety Division. The basic premise of this 
course is that system safety analysis should 
be a process which is fully capable of as- 
suming a leading role in design analysis. The 
basic purpose of system safety analysis should 
be, therefore to identify hazards in the system 
as it is proposed to be designed and operated, 
evaluate the risk associated with the identified 
hazards, and eventually to prevent or control 
the hazards which are considered to be un- 
acceptable. This course provides technical 
knowledge in the system safety analytical 
technology and associated quantitative risk 
assessment methods. Most importantly, effec- 
tive utilization of the output of the safety 
analytical program is emphasized in the in- 
structional material. The student is introduced 
to the philosophy of risk acceptance, the 
derivation and allocation of risk require- 
ments, and the quantitative risk evaluation 
methods. 
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SYSTEM SAFETY IN OPERATIONS 

The conventional application of the system 
safety engineering process to the earlier 
design phases of the system life cycle has 
sometimes led to a lack of awareness of the 
technical safety aspects during operations. 
Utilization of the modern system safety ana- 
lytical technology is being restricted almost 
entirely to the design phases as previously 
noted. Furthermore, system safety educa- 
tional programs normally do not include Sys- 
tem Safety as a formal, disciplined approach 
in the operational phase. Recent developments 
have been made at U.S.C. which should im- 
prove safety decision-making during the op- 
erational phase. These developments repre- 
sent new and improved analytical methods for 
use during operations which were derived 
from the system safety technology. Accident 
Logic Diagramming is a good example of the 
adaptation of a system safety analytical method 
to assist the accident investigator In identi- 
fying accident cause factors. The field of 
accident investigation has developed into a 
highly specialized body of technical knowledge. 
There are files which are literally full of 
accident cause data, hoping that through knowl- 
edge of the cause of accidents we can take 
action to prevent future accidents. It is possi- 
ble that rather than logically Identifying real 
causes of accidents, the accident investigator 
Is doing nothing more than confirming his 
preconceived conclusions. In order to mini- 
mize this possibility, the investigator should 
uti’ize a logical, systematic, and thorough 
approach which is more analytical in nature 
in order to Isolate and Identify accident causes. 
A method of system safety analysis which has 
been developed over the past ten years termed 
Logic Diagram Analysis or Fault Tree Analy- 
sis, is ideally suited to this tank. The logical 
processes of fault tree development are in 
fact identical to the logical processes of acci- 
dent Investigation. The investigator and the 
analyst deduce from available evidence, be- 
ginning with the fact of the accident or pre- 
accident Itself until the probable cause can be 
Identified and substantiated. Utilization of this 
analytical tool by the Investigator to organize 
his thinking is termed Accident Logic Dia- 
gramming. Standard event and logic gate 
symbology have been developed and may be 


consistently applied to actual accident situa- 
tions. However, for the purposes of accident 
investigation, certain modifications to the 
basic logic diagramming system are required. 
Since the undesired event in question has 
already occurred, i:hen the matter of event 
probabilities and quantitative risk evaluation 
is not necessary. Accident Logic Diagramming 
is strictly a qualitative assessment. As a 
result all possible causative conditions can 
be logically diagrammed, regardless of the 
availability of numerical failure data. The 
man, the machine, and the environment can be 
logically combined as an interacting system. 

Several obvious advantages are reaUzed 
with Accident Logic Diagramming. First, the 
logical thought processes are presented in a 
visible, logical, easily understood diagram 
for others to see and comment upon. This 
factor alone increases the likelihood that ideas 
will be shared and investigative methods will 
be questioned. Second, a documented, graphical 
checklist of areas to investigate logically de- 
velops with the diagram, minimizing the possi- 
bility that important evidence will be over- 
looked early in the accident investigation. 
Finally, the Accident Logic Diagram becomes 
a flow chart and a realistic indicator of in- 
vestigative progress. Notes on evidence can 
be made next to the diagram events to which 
they apply, indicating whether the events did 
or did not occur. It is recommended that the 
Accident Logic Diagram be prepared as early 
as possible in the investigation cycle, and that 
it be continually expanded. Eventually as the 
actual accident cause f actor (s) is isolated 
and identified, necessary corrective actions 
can be taken, thus reducing or eliminating the 
possibility of future accidents due to similar 
cause factors. 

CONCLUSION 

General John D. Ryan stated, "The appli- 
cation of measures to achieve higher levels of 
System Safety is recognized today as a vital 
concern for the entire engineering community 
as well as for our managers and operators. 
This goal is clearly essential, because it rep- 
resents the principal means of preserving the 
combat capability of the Air Force. We, 
therefore, must consciously focus our efforts 
on reaching that goal. . System Safety is a 
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vital concern in the achievement of accident 
prevention. The application of the System 
Safety concept in design and in operations 
should be a principal means of avoiding all 
conceivable situations which can place our 
nation, its resources, or its population in 
jeopardy. As our nation continues to design 
and manufacture equipment which is more 
expensive, more complex, with greater de- 


grees of automation foi use by and around a 
public which Is aroused and more intf’ligeni, 
System Safety becomes Increasingly important. 
As a result. System Safety education is also 
becoming increasingly important. At the Uni- 
versity of Southern California, as safety edu- 
cators v/e are confident and optimistic that 
the challenges of System Safety education will 
be met. 
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No field of engineering enjoys closer rela- 
tionship to public and political concern today 
than safety engineering; and probably no other 
engineering field is so ill prepared to exploit 
this relationship. Why! Because the demands 
on the safety engineer today require thorough 
understanding of systems analysis and sys- 
tems engineering principles, human factors, 
and the safety implications of hardware de- 
sign. Unfortunately, most safety engineers 
developed from other specialities and are 
primarily experienced in industrial safety. 
The rapidly expanding technology of today's 
world requires solution of potential safety 
hazards by recognizing the hazards and ap- 
propriately influencing the design of hardware 
to eliminate or reduce them. 

Nowhere has the short supply of safety 
engineers, with the necessary background, 
been more sharply felt than in the Army 
Materiel Command. The primary mission of 
this command is the research and develop- 
ment, procurement, and supply of Army mili- 
tary hardware. The bulk of the system safety 
responsibility for this hardware rests with 
the Army Materiel Command Safety Office 
and similar offices at the subcommands (called 
commodity commands because of their com- 
modity orientation). This safety organization 
has, until recently, been primarily concerned 
with industrial safety at production activities 
within the Army Materiel Command (AMC). 
There is increasing recognition by both the 
general public and development personnel that 
most accidents resulting in property damage, 
injury, and loss of life are casued by and/or 
compounded by hardware not designed for the 
human environment. The natural outcome of 
the recognition has been to place greater re- 
sponsibility for hardware design on the AMC 
safety organization. 

Having been staffed primarily by non- 
engineering safety personnel during World 
War II, AMC faced a critical shortage of the 
necessary skills. A large portion of its exist- 
ing safety staff will be retiring in the next 
five years. AMC and especially Mr. Landon 
Feazell, the present Chief of the AMC Safety 
Office, recognized the impending safety per- 
sonnel shortage and made provisions to im- 
prove the outlook. 

Basically, the AMC requires the input of 
20 to 30 engineers per year with thorough 


knowledge of system safety and its related 
principles - personnel who can both influence 
design and revitalize the safety workforce, 
moving it into its proper realm of responsi- 
bility. To accomplish this would require hir- 
ing younger engineers with good safety engi- 
neering background or training. Unfortunately, 
this kind of engineer is difficult to find and 
even more difficult to hire. The best alterna- 
tive was for AMC to train their own personnel 
and a training program was established to ac- 
complish the following objectives. 

1. Recruit into the AMC workforce young, 
qualified engineers with demonstrated capa- 
bility. 

2. Educate these engineers in the field of 
safety engineering. Also, educate them in the 
specifics of Army peculiar safety hazards in- 
cumbent with the development and handling of 
explosives, nuclear weapons, and the chemical/ 
biological agents. 

Since a good background in hardware design 
is essential to the functions of system safety, 
engineers with specialization in Mechanical, 
Electrical, Civil, Aeronautical, or Chemical 
engineering are desired. To obtain the very 
best engineering graduates AMC in conjunction 
with Texas A&M University, established a 
graduate level training program giving the 
student the opportunity to obtain a Master of 
Engineering Degree. To provide the necessary 
theoretical background, as well as the prac- 
tical background, in hazardous materials re- 
quires two years of classroom study. The 
engineers upon graduation are placed in safety 
positions at all AMC activities. Since they are 
trained by the AMC Intern Training Center, 
the graduates have broad knowledge of AMC 
safety functions with no built in loyalties to 
specific commodity areas. They provide AMC 
with a highly capable, flexible, and mobile 
safety engineering expertise. A description 
of the curricula for the Safety Engineering 
Program follows. 

CURRICULA 

This jointly sponsored Safety Engineering 
Program consists of twenty-four months of 
graduate level study divided into three sec- 
tions: (1) the first six months of the program 
are taught by the US AMC Intern Training Cen- 
ter at the Red River Army Depot, Texarkana, 
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Texas; (2) the next 12 months are taught by 
Texas A&M University - with the first eight 
months taught at the Red River Army Depot 
Extension, while the last four months are 
taught on the main campus at College Station, 
Texas; and (3) the final six months are taught 
by the US Army Field Safety Agency at 
Charlestown, Indiana, 

During the first two phases (first 18 months) 
all of the courses are graduate level and are 
presented in a university environment. A 
breakdown of the program of instruction by 
major topic area is shown below; 

SYSTEM SAFETY RELATED COURSES 
(21 Credit Hours) 

♦Introduction to Safety Engineering 
System Safety Engineering 
System Safety Engineering in the Design 
of Equipment 

Safety Engineering in Facilities Design 
Safety Engineering in Transportation 
Systems 

System Safety Seminar 
Safety Engineering Research 

♦Non Graduate Credit 

These courses are designed to provide the 
students with specific background material 
which will allow him to serve as a system 
safety specialist on a design team. Discussion 
concentrates on the application, selection, and 
utilization of various system safety analytical 
approaches. Emphasis is also placed on the 
management of a system safety program, its 
relationship with other disciplines, and new 
developments and applications of sj stem safety 
techniques. 

SYSTEM SAFETY INTERFACE COURSES 
(22 Credit Hours) 

♦Statistical Methods in Reliability and 
Maintainability 

•Weapon System Acquisition 

♦Engineering Application of Computers 
Theory of Human Factors Engineering 
Engineering of the Man-Machine Sys- 
tems 

Evaluation and Control of the Occupa- 
tional Environment 

♦Non Graduate Credit 


This set of courses is designed to provide 
the graduates with a working knowledge of 
Human Factors Engineering, Maintainability 
Engineering, Reliability, Industrial Hygiene, 
and the System Acquisition Process. All of 
these as you well know are very closely re- 
lated and are important inputs when the total 
safety of the system is under consideration. 

INDUSTRIAL ENGINEERING COURSES (30 
Credit Hours) 

♦Introduction to Operations Research 
♦Mathematical Statistics 
♦Applied Mathematics 
♦Engineering Management 
♦Statistical Quality Control 
Analysis and Prediction 
Principles of Operations Analysis 
Advanced Quality Control 

♦Non Graduate Credit 

These courses serve three purposes. First 
of all they serve as pre-requisite type courses 
in order to bring all the different type engi- 
neering graduates tc a common plane, for the 
more advanced courses which follow. Secondly, 
the courses strengthen the student's mathe- 
matical abilities which are important in apply- 
ing system safety and reliability analysis. 
Finally, since a Master's Degree is offered 
through the Industrial Engineering Department, 
certain "core" course are required by the 
Graduate College of Texas A&M University in 
order to award this degree. 

The last phase of the program is conducted 
at the US Army Field Safety Agency and is 
designed to provide practical "hands on" type 
of training. The formal training includes both 
Army and AMC procedures, safety regulations, 
and related exercir.es in practical applications 
of safety principles. A portion of the program 
is devoted to "on-the-job" type training. 

The major topics that are covered in this 
phase are; 

FIELD SAFETY AGENCY TOPICS 

On-Job Orientation 
Munitions Safety 
Aviation Safety 
Industrial Safety 
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System Safety 
Radiological Safety 
Safety Management 

As you can readily see from the curricula 
ove, these engineers are being trained for 
tuch more than just "system safety engi- 
leering" as we have come to think of it during 
-ecent years. By taking the total engineering 
ipproach to system safety education, these 
T raduates will have more capability in a much 
oroader area of responsibility. A majority of 
:he AMC installations at which these graduates 
will be assigned have no formal "system 
safety" organization. At many of these com- 
mands it will be a part of their duties to help 
Initiate system safety activities. At still others 
:he individuals may have to input system safety 
through such organizations as Research & 
Development, Quality Assurance, etc. After 
gaining Invaluable experience on the job we 
feel these graduates will be capable of inte- 
grating into any system development team, 
and will be able to improve design through 
applP ltion of system safety engineering prin- 
ciples. 

ENTRANCE REQUIREMENTS 

The requirements for the engineering grad- 
uate input to this program are the same as the 
requirements for the other two intern pro- 
grams (Production Design Engineering and 
Maintainability Engineering) which theUSAMC 
Intern Training Center administers. Graduate 
engineers are recruited from universities 
across the nation, representing different en- 
gineering disciplines, from the upper one- 
third of their graduating class. With this 
academic ranking the students enter Federal 
Service as GS-7 Quality Students. After satis- 
factorily completing the first 12 months of 
the program they are promoted to GS-9 
grades, and after successful completion of the 
24-month program they are promoted to the 
grade of GS-11. At the end of the 24- month 
program each graduate assumes a three year 
continued service agreement with monetary 
repayment if they leave the Federal Govern- 
ment prior to the expiration of the three 
years. 


i ;ST CLASS 

The first class of safety engineers began 
their study in June 1969. Their average under- 
graduate grade-point was 3.1 on a 4.0 system 
and they represented 15 different universities 
from across the United States. All 20 students 
received Master's Degree from Texas A&M 
University in August 1970 and have just this 
month completed the 24-month program and 
have been given permanent duty assignments 
at various AMC installations. 

The second class has just completed the 
first 12 months of the program and the third 
class has been recruited and will report June 1 
to begin training. 

CONCLUSION 

Since one of the objectives of this confer- 
ence is "applications" and "transfer of in- 
formation" it should be pointed out that while 
the program described in this paper is a 
specific program for AMC, a similar program 
is available on an individual basis at Texas 
A&M. Here the individual would choose his 
own degree program and would usually re- 
quire 12 months to attain a Master's Degree 
in Industrial Engineering, assuming he has a 
Bachelor's Degree in any field of engineering. 
Individual students are encouraged to adapt 
the techniques and philosophy of "system 
safety" to "product safety" as it is commonly 
referred to by private and consumer industry. 
Indeed, it has been said that one of the more 
important spin-offs from the aerospace tech- 
nology may be the system safety concept and 
its application to product safety. 

The USAMC-Texas A&M program in Safety 
Engineering is an effective method for edu- 
cating and training engineers in the unique and 
demanding technology of system safety engi- 
neering. At these graduates progress through 
AMC assuming positions of responsibility, 
they will make their presence felt and will 
have a tremendous impact on not only AMC, 
but the US Army as well, the principal cus- 
tomer of AMC commodities. Improved safety 
performance, monetary reward from reduced 
costs, and upgrading the overall capabilities 
of the AMC safety workforce are the expected 
results from this program. 
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The first class of the "System Safety" 
course at The George Washington University 
was held in March 1969. This two-week, non- 
credit course was offered twice in 1969, three 
times in 1970, and it is scheduled at least four 
times in 1971, So the course is in an expand- 
ing mode. 

The course was initiated with the support 
and guidance of the Electronics Industries 
Association G-48 "System Safety Committee,” 
chaired by George Mumma of the Martin 
Marietta Corporation. Mr. Mumma also serves 
as a guest lecturer in the course. Numerous 
notables in the field of system safety con- 
tribute as guest lecturers in the course in- 
cluding the Chairman of this Conference, 
Phil Bolger, and Jerry Lederer, NASA Direc- 
tor of Safety. In addition to Messrs. Bolger 
and Lederer, the following men listed in the 
program for this Conference have served as 
lecturers in this course: C. O. (Chuck) Miller, 
Dr. Carl C. Clark, Haggai (Guy) Cohen, and 
Dr. Raymond M. Wilmotte. 

COURSE RATIONALE 

Course Scope 

At GWU, system safety covers the total 
spectrum of risk management. While starting 
with the dynamic system element (vehicle, 
machine, or process), the course examines 
the influence on system safety of attitudes and 
motivations of design, production, test and 
operations personnel, employee /mana gement 
rapport, the relation of industrial and labor 
associations among themselves and with the 
Government, human factors in supervision, 
the interfaces of industrial and public safety 
with design and operations, the interest and 
attitudes of top management, the effects of the 
legal system on accident investigations and 
exchange of information, the certification of 
critical operating personnel, political con- 
siderations, public sentiment and many other 
non-technical but vital influences on the at- 
tainment of an acceptable level of risk control. 

Not only does the course cover a wide 
range of subject matter. It is designed to intro- 
duce the principles, requirements, techniques, 
and limitations of system safety to those 
charged with hazard or risk control in the 


following fields; urban planning, environmental 
control, mass transit, automotive safety, hos- 
pital administration, accident investigation, 
insurance underwriting and campus safety. 

Three Titles - The GWU course is not as 
directly related to the military services as 
other system safety courses offered through- 
out the country. Both the University of South- 
ern California course and the one presented 
by the University of Washington are sponsored 
by the United States Air Force. The course 
taught at Texas A&M University is under the 
direction of the United States Army Material 
Command. Nonetheless, students from all the 
military services have been and continue to 
be enrolled in the GWU course. 

Carrying out the theme of this Conference— 
"to expand the application of system safety 
principles into the general and consumer in- 
dustries" — GWU advertises its course under 
three titles. The purpose of multiple titles is 
not to confuse anyone but rather, to hopefully 
match impedances with other industries beside 
aerospace. 

Obviously, the course is advertised as a 
"System Safety" course because this term is 
commonly understood in the aerospace in- 
dustry, the military establishment, and in 
NASA. 

Attempting to communicate with a com- 
pletely foreign segment of the economy, GWU 
offers the course as one in "Hazard Control." 
Those who would understand this term much 
easier than they would the term, "system 
safety," include insurance underwriters, hos- 
pital administrators, or perhaps those asso- 
ciated with the mining industry. 

Still another portion of industry is intro- 
duced to the course under the title, "Risk 
Management." This group could include urban 
planners, campus safety managers, and even 
professional football team owners! 

ASSE Sponsorship - The breadth of scope, 
titles and application described above was a 
prime factor in the decision of the American 
Society of Safety Engineers, representing ap- 
proximately 10,000 safety professionals, in 
January 1971 to co-sponsor the GWU course. 
This action by ASSE was unique as it marked 
the first and only official endorsement of any 
university educational activity by that organi- 
zation. 
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Student Contribution 

The GWU course is purposely designed to 
utilize and integrate the diversity of experi- 
ence represented by the students attending the 
course. This position is in contrast to courses 
where the instructors supposedly have all 
knowledge on the subject "wrapped up in a box 
with a blue ribbon around it." Rather than 
"pipe knowledge in a straw to naive students," 
the instructors view classroom discussion as 
a learning experience every bit as valid as 
formal lecturing 

The diversity of backgrounds possessed bv 
graduates of previous classes makes this poi; i 
obvious. Students from at least seven cat 
gories have completed the course: 

Commercial Industries - American Mutual 
Liability Insurance Company, Ebasco Serv- 
ices, Incorporated (major contractor), 
De Leuw, Cather & Company (engineering 
contractor for the Washington Mass Tran- 
sit), and Western Electric. 

Aerospace Industries - General Dynamics, 
Ling-Temco-Vought, Martin Marietta, 
McDonnell Douglas, and Vitro Labora- 
tories. 

Federal Government - Federal Highway Ad- 
ministration, Atomic Energy Commission, 
Bureau of Mines, Federal Aviation Agency, 
National Transportation Safety Board, Na- 
tional Bureau of Standards, and National 
Aeronautics and Space Administration. 

Foreign Governments - Department of Social 
Action (Mexico) and British A rcraft Cor- 
poration. 

City/County Governments - Chicago Transit 
Authority, New York City Transit System, 
and Montgomery County (Maryland), 

Military Services - Numerous branches within 
the Army, Navy and Air Force 

Universities - Johns Hopkins University and 
The George Washington University. 

APPROACH TO SYSTEM SAFETY 

The GWU course starts off by defining the 
problem. As Figure 1 states, "We are trying 
to do well that which we do not understand," 


Furthermore, we will never understand that 
which we must do well. Dr. Raymond M. 
Wilmotte reaffirms this statement in different 
language: * ' The uncertainties that remain (in 
any complex decision) are never zero." 

The reason for this pessimistic outlook is 
quite simple. The complexity of most situations 
faced by decision-makers today is far beyond 
any single individual's capability to compre- 
hend them in depth. Yet we are precluded the 
luxury of simply wringing our hands in 
despair— we must still press forward and 
make decisions. 

"Systems" Characteristics 

The systems approach, regardless of its 
application, has at least eight characteristics 
as .31... • .it Figure 2. Since system safety 
can be described as "the systems approach 
applied to safety," these eight traits apply 
directly to system safety. Further, these 
characteristics differentiate system safety 
from other safety activities. 

A description of each characteristic is 
repeated from an earlier publication; 2 

Methodical - The systems approach in- 
volves a definite method. This method consists 
of an orderly procedure or way of solving 
complex problems. All the steps Involved in 
problem-solving are arranged in a consistent 
and orderly manner. 

Objective - The systems approach is also 
objective; i.e., the steps in the problem- 
solving method are free from personal bias 
to the greatest extent possible. Personal opin- 
ion must be identified as such. By maintaining 
this discipline, the results of each step in the 
problem-solving process can be verified or 
confirmed by someone other than the person 
who performed the step. 

Quantitative or Measurable - Almost with- 
out exception, each element in the problem- 
solving process results in a quantitative ex- 
pression. At the very least, there must be 
some measurement possible to weigh the 
validity of the conclusion reached. Because 
any end product produced by the systems ap- 
proach is obviously a compromise, it is nec- 
essary to weigh the relative merits of each 
element In the system by some means other 
than personal opinion. This need to compare 
alternatives dictates that measurability be 
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one of the characteristics of the systems 
approach. 

Analytical - The systems approach em- 
ploys a rational division of the whole system 
into its constituent parts to find out the nature, 
proportion, function, and interrelationship of 
these parts as they contribute to system ob- 
jectives. This analytical function frequently 
leads to solving system problems by means 
of mathematical models or equations. There- 
by, the elemental variables can be related and 
traded off with respect to each other. 

Subsystem Interdependence - Another char- 
acteristic of the systems approach is a con- 
stant recognition that any given element or 
subsystem is dependent on all the other ele- 
ments in the system. Should the function, di- 
mension, or description of a subsystem be 
revised, such a revision will affect every 
other element to varying degrees. This inter- 
dependence must not only be acknowledged 
but must be accounted for in the systems 
approach. 

Parallel Analysis of Elements - Somewhat 
related to the interdependence of all elements 
and subsystems in the systems approach is 
the concept of treating all elements in parallel 
rather than in series. In contradistinction to 
the Western civilization concept of time as 
being a chronological series of events, each 
one of which must be complete before the next 
can take place, the systems approach demands 
that the end event be considered at the same 
time as the initiating event in order to prop- 
erly balance the allocation of resources to- 
ward solution of the problem. This is com- 
monly known as "womb-to-tomb" thinking. 

Inputs and Outputs in Clear Language - 
Another important characteristic of the sys- 
tems approach is the requirement that both 
inputs and outputs, at all levels in the system, 
be described in unambiquous language. The 
key to this requirement is that it removes 
subjective judgment both as to what is ex- 
pected in the way of outputs and what is avail- 
able in terms of inputs to the system. One of 
the reasons for insisting on the quantitative 
indices discussed earlier is that numbers do 
reduce ambiguity. 

In simplest terms, a "system" can be de- 
fined as "any complete entity consisting of 
hardware, software, personnel, data, services 
and facilities which transforms known Inputs 


into desired outputs." Therefore, a system 
has no meaning unless both inputs and outputs 
have clear and universal understanding. 

Self-Containment/Closed Loop - Since a 
system has been defined as a "complete en- 
tity," this means that a system has individual 
existence and that it lacks none of its requi- 
site parts. It is complete in itself. A corollary 
is that the system must be free from any iso- 
lated or "orphan" elements which do not con- 
tribute to system objectives. Outputs of every 
element or subsystem must ultimately become 
part of the s'_ stem output rather than inde- 
pendent of it. In a sense, this is a restatement 
of the fact that everything within the system 
is interdependent. 

The Role of the Human 

One difficult that must be acknowledged in 
the field of safety is the high pe 'entage of 
social behavior involved in hazard analysis 
and prevention. Therefore, the emphasis on 
human behavior is quite pronounced in the 
GWU System Safety course. Whether it be 
called human factors, human engineering, or 
just plain human awareness, the role of the 
human is accented heavily. 

Figure 3 illustrates the interface that 
exists between physical and social sciences. 
Skirting the traditional battle over whether 
social sciences are "scientific, "predictability 
(which is a cornerstone of scientific endeavor) 
is an elusive characteristic, at best, in the 
social sciences. To illustrate this difference 
between physical and social sciences, the 
specific gravity of sulfuric acid (H2SO4) has 
been, is, and will continue to be 1.834, where- 
as you and I had not been, are not, and never 
again will be the same persons we were when 
we awoke this morning! 

There wil 1 always be a mixture of physical 
and social forces in any system. However, the 
mixture ratio will influence the applicability 
of the systems approach. The higher the per- 
centage of systems effort which involves the 
physical sciences, the greater the applica- 
bility. 

The spectrum of system problems In Figure 
3 runs from greatest applicability on the left 
end to least on the right. System safety, as an 
activity, would probably fall about where "auto 
safety" is shown. We can do much to make 
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cars safer— crash helmets, harnesses, in- 
flatable bags for crashworthiness. But in the 
end, can the automobile be made totally safe 
if the human is ignored? Obviously not. We 
can never make people wear seatbelts, hel- 
mets or chest protectors. Further, we cannot 
stop them from driving after they have been 
drinking! My good fr<end and colleague Chuck 
Miller, has said that we probably should start 
to design cars to be driven by drunk drivers 
because there is no way to stop people from 
driving while drunk. 

This pragmatic outlook of accepting t e 
world as it is, rather than idealistically teach- 
ing "what ought to be" distinguishes the GWU 
course from some others. 

S ystem Management Foundation 

System safety may be the foremost among 
those activities where moral arguments must 
be translated or converted into specific tasks . 
Furthermore, this "conversion into tasks 
must ultimately result in specific safety tasks 
which are described in the language of man- 
agement-yes, that dirty but real world of 
cost, performance and schedule. 

In a letter dated 14 January 1971, General 
George S. Brown, Commander of the Air 
Force Systems Command, said in part: 

"Reports of the USAF Inspector Genera 
continue to reflect that systems safety 
within AFSC is unsatisfactory. There are 
several underlying problems in this area, 
including the need to train systems safety 
engineers. To overcome these problems 
we must have added management emphasis 
on systems safety at all levels." (Italics 

added) 

The System Safety course at the George 
Washington University is based firmly on a 
SYSTEM MANAGEMENT foundation for a num- 
ber of compelling reasons*. 

1 Management and professional sys- 
tem safety personnel both have one basic 
modus operandl— "accomplishing through 
others." While they both may occasionally 
get in, roll up their sleeves, and "do 

something, this is a rare exception. Learn- 
ing how to step back from the daily rush of 

detail activity to view the "big P ict “ re of 
the systems approach is vital to effective 
system safety work. Further, if the system 
safety professional accepts a role as simply 


an "engineer," "analyst," or "investigator, 
he cannot hope to accomplish his mission 
because these "doing" roles are only par- 

tials of a whole picture* 

2 A corollary to the first reason is 

that since system safety personnel "assure 
that a system Is safe" rather than per- 
sonally "make the system safe," they must 
have a 1:1 communication link with man- 
agement. How can they hope to communi- 
cate with top management if they take less 
than a system management viewpoint? How 
will they know the system management 
viewpoint if they have not studied it? 

3. One of the major advances of MIL- 
STD-882 over earlier system safety speci- 
fications was in pioneering the concept that 
system safety was far larger in scope than 
just "engineering." To state this idea 
another way, you could be the best safety 
engineer, analyst or investigator in all the 
world and still be no more effective in 
achieving system safety than if you were 
in Tibet, if you fail to comprehend system 
management. 

4. A primary precept of system safety 
is that no area or activity in the system 
development process is free from creating 
hazards. Therefore, since system safety 
personnel must be sensitive to all sources 
of hazards (and management is a hazard 
source as shown in the Venn diagram of 
Figure 4), it is imperative to start the 
study of system safety on the base of sys- 
tem management, the most pervasive ac- 
tivity In system development. 

It is no accident that management s listed 
prior to science and engineering in this defini- 
tion used in the GWU course: 

"System safety is the optimum degree 
of hazard elimination and/or control within 
the constraints or operational effective- 
ness, time and cost, attained through the 
specific application of management, scien- 
tific and engineering principles throughout 
all phases of a system life cycle." 

The interrelationship of man, machine, 
media, .ad maaagemeat la Figure 4 coauta. 
15 different categories; e.g., man/meoia, 
machine/managetr ent, medla/man/machine/ 
management, etc. Each one ofthos ® C “ t * g °^!“ 
is a source for system hazards which must be 
either eliminated or controlled. 
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Using rapid rail transit as an example in 
Figure 5, management is prominent as a fac- 
tor in contributing to hazards. As a warning, 
it should be obvious that Figure 5 ignores the 
interaction between the factors listed; e.g., 
possible interaction between passenger ve- 
hicle seat versus stand ratio and accident 
investigation procedures. 

Likewise, most of the individual events 
shown in the Fault Tree illustration in Figure 
6 have resulted from management decisions; 
e.g., policies, procedures, design selections 
or accepted risks. Note also the high per- 
centage of events in the Tree that are social 
rather than physical in content. 

Figures 4, 5, and 6 are not meant to be 
exhaustive and complete but to simply trigger 
further thought and expand the analyst's think- 
ing regarding hazard sources. In fact, the 
GWU course is often described as a "mind 
expander." An attempt is made to open up new 
ways of thinking about hazards, followed by 
devising methods to either eliminate or con- 
trol the identified hazards. 

Integrative Aspect 

A prime thesis of the GWU course is that 
system safety is not another "specialty" but 
an integrative activity among the already- 
too-many specialties. Figure 7 depicts system 
safety as the "mortar between the bricks" 
that makes possible a strong wall (system). 
In other words, the philosophy of the course 
is that system safety personnel should not be 
"out-designing the designer." Rather, they 
should be concentrating their attention on the 
many interfaces created between functions 
whenever a large and complex system is 
divided up into smaller units. 

As Figure 7 shows, "design" is separated 
from "testing," and when this division occurs 
(necessary as it may be), there are inevitable 
problems often overlooked by both designers 
and test engineers. This interface is typical 
of those areas where system safety personnel 
will realize the greatest payoff in terms of 
hazard potential. 

FOCUSING FOR MANAGEMENT DECISION 

The system safety professional has only 
one ultimate "reason for being"-- to provide 
top management with one of two inputs for 


management decision; (1) the system under 
consideration is safe enough, or (2) the system 
under consideration still has the following 
identified hazards which are neither elimi- 
nated nor controlled satisfactorily to meet the 
system objectives. 

As stated earlier, safety is basically a 
moral argument ; i.e., "No one should get killed 
or injured and there should be no property 
loss as a result of operating this system." 
Unfortunately, there are literally millions of 
moral arguments of equal conviction. Manage- 
ment has no way to handle moral arguments. 
They do not fit nicely into equations, calcula- 
tions, or profit/loss ledgers. They must be 
converted into a new language. 

How can safety then be translated into 
management language? What is the language of 
management? Management language is three- 
dimensional— cost, performance and schedule. 
To bridge the gap then between a moral argu- 
ment and the world of cost, performance and 
schedule, there must be a methodology. 

In a nutshell, the methodology required has 
five basic steps: 

1. AJ1 possible hazards must be iden- 
tified . 

2. These identified hazards must be 
ranked first for their severity . 

3. These identified hazards must be 
ranked secondly for their li kelihood of 
occurrence. 

4. These identified hazards must be 
ranked thirdly for the cost, in resources, 
of either eliminating or controlling them 
in the system. 

5. The rankings of steps 2, 3, and 4 
must be combined into a single ranking 
of management consequence; i.e., where 
the most severe which will occur most 
frequently and can be eliminated for the 
least resource expenditure are on top. 

Each of the five basic steps required to 

translate the moral argument for safety into 
language that any manager can understand is 
discussed briefly. 

Step 1 - Identify Hazards 

This is the function of the various analyti- 
cal techniques such as Hazard Mode and Effect 
Analysis (HMEA), Gross Hazard Analysis, and 
Fault Tree Analysis. Equally essential with 
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these techniques are analysts with inquisitive, 
imaginative, and indefatigable minds. Ironi- 
cally, some system safety courses cover only 
this first analytical step. 

Step 2 - Rank Hazards for Severity 

Continuing to use rapid rail transit as an 
example. Figure 8 is a conversion of the four 
hazard levels of MIL-STD-882 into rail tran- 
sit effects. Rather than having everyone decide 
what a "critical" hazard is, the translation 
has been male so that there is universal 
understanding of this level. If there were 478 
hazards identified in Step 1, then every' one 
of the 478 should have either an A, B, C, or 
D assigned to it. 

Step 3 - Rank Hazards for Likelihood 

Aftjer all 478 identified hazards have been 
categorized for severity, they must be ranked 
for probability of occurrence. One example of 
how this might be accomplished is shown in 
Figure 9. The reason that the four levels of 
probability are in a logarithmic scale is be- 
cause the human response to sensory stimuli, 
according to Fechner’s Law, is logarithmic. 
Perception of probabilities is probably similar 
to sensory perception. When this step is com- 
plete, all 478 Identified Tzaras should have 
two letters assigned — one for severity and 
one for probability. 

Step 4 - Rank Hazards for Elimination/Control 
Resources 

The third letter tc be assigned each of the 
478 hazards should be from a table such as 
shown in Figure 10. This step requires an 
Intermediate conversion of various resources 
(e.g., policy, procedures, manpower, tech- 
nology, facilities, materials, and schedule) 
into a dollar equivalence prior to selecting c 
code letter. Nevertheless, this estimate of 
the amount of resources is essential in order 
to speak management's language. Now all 478 
hazards have three letters assigned. 

Step 5 - Rank Hazards for Management Con- 
sequence 

Once three code letters (one each from 
Steps 2, 3, and 4) have been assigned to all 
478 identified hazards, the focusing for 


management consequence is achieved by com- 
bining the three individual code letters into 
one overall index of significance. The Hazard 
Totem Pole shown in Figure 11 lists these 
code combinations in order of consequence for 
management decision. 

Obviously, there are never enough re- 
sources to completely eliminate every possible 
hazard. For this reason, management must set 
a "decision point" or cutofi level in the Hazard 
Totem Pole. This decision point is drawn at 
that significance ranking core below which all 
remaining hazards will be .gnored. The deci- 
sion point may be established by either (1) the 
reduction of hazard significance to a level 
which management considers adequate or (2) 
the depletion of resources available for ap- 
plication to hazard elimination or control. 

To illustrate this decision point, manage- 
ment could decide that it will eliminate and/or 
control all hazards in the first 7 levels or 
categories in the Hazard Totem Pole; i.e,, all 
the AJP, AJQ, AKP, BJP, AJR, AKQ, and 
ALP hazards. This would mean that 31 of 
the 478 identified hazards will require re- 
sources to be allocated by management for 
purposes of eliminating or controlling the 
hazards. (Note that there were no AJQ or 
AKQ hazards.) 

It is important to also note that while man- 
agement will be committing resources for the 
first 7 levels In the Hazard Totem Pole, they 
will, by this very action, be deliberately 
ignoring all remaining 57 levels in the Hazard 
Totem Pole (which contain the remaining 447 
hazards.'). Therefore, the decision point be- 
comes that point which separates action from 
inaction regarding hazards. 

RESOLUTION OF HAZARDS 

MIL-STD-882 describes a series of actions 
for satisfying safety requirements of a system 
design. The series is known as "system safety 
precedence." This precedence is shown in 
logic diagram format in Figure 12. 

Continuing the rapid rail transit example 
where management has now decided to elimi- 
nate or control 31 of the 478 identified hazards 
in the Hazard Totem Pole, a decision must be 
made on HOW to eliminate or control them. 
Figure 12 shows four alternatives (numbered 
1 through 4) for this decision. 
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With the exception of those hazards which 
can be eliminated very economically early in 
the design stage, the four alternatives of Fig- 
ure 12 are numbered in a hierarchy of de- 
creasing effectiveness as well as decreasing 
cost . Therefore, the lower the number in the 
hierarchy, the more effective the choice will 
be in satisfying system safety requirements 
even though there may be higher cost asso- 
ciated with the action. (A more detailed dis- 
cussion of this cone cpt appears in Reference 
3.) 

The dotted lines in Figure 12 illustrate 
something not discussed in MIL-STD-882. 
Two conditions, both of which are undesirable, 
are shown In dotted lines. First, a system 
can be tolerant to identified hazards witw>jt 
the knowledge of either designers 
erators. Secondly, the system can be intoier- 
ant to identified hazards, either unknowingly 
(most serious) or knowingly. Hazards which 
are knowingly intolerable are often described 


us "accepted risks." Those risks are the ones 
for which insurance if purchased. 
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Interrelationship of System Safety Factors 







SYSTEM SAFETY 

“Tie Strength Between Functions” 



Rail Trecixstt IPeuilt Tree Illustration 













































SYSTEM SAFETY EDUCATION FOCUSES ON SYSTEM MANAGEMENT 
Varnon L. Grot a 


SYSTEM SAFETY EDUCATION FOCUSED ON SYSTEM MANAGEMENT 
Varnon L. Groaa 


L 



2 

w 

H 

«) 

X 

(0 

H 

HI 

w 

2 

< 

OS 

H 


< 


H 

N4 

4 

(-4 

« 

OQ 

o 

as 

b 


Q 

as 

< 

N 

a! 




4) - 

U ® U 


U V 

•a s 

u £ 

* a 


CD 

W 

s 

SI 

w 

« 

ctf 


j 

oj 

as 

H 

2 ! 

8 

2 

O 

M 

H 

<3 

2 

HI 

2 

M 

J 

w 

Q 

as 

Ci 

M; 

C 

2 


SYSTEM SAFETY EDUCATION FOCUSED ON SYSTEM MANAGEMENT 
Yaraon L. Groaa 



SYSTEM SAFETY EDUCATION FOCUSED ON SYSTEM MANAGEMENT 
Varnon L, Groaa 



Ftfara II 


122 















S’* 


SECTION III 

QUESTIONS AND ANSWERS 


QUESTION* I would like to ask the p«nel 
if there is any concerted effort in the educa- 
tional field to Incorporate a system safety 
engineering course in all undergraduate engi- 
neering programs — aeronautical, industrial, 
electrical, etc. 

DR. JOHNSTON: We can only speak for 
the industrial engineering department. As far 
as I know Texas A&M has none. Actually what 
we are looking at in a system safety engineer- 
ing course as far as for a person working on 
a degree in mechanical engineering or some- 
thing at the undergraduate level, this would 
have to be an elective. What we are doing at 
Texas A&M is trying to make people in all 
the engineering disciplines aware, probably 
more so toward product safety and product 
liability. We are getting more and more people 
to come in and take the courses as electives, 
but as far as a requirement, I would say there 
is no attempt to put it into the undergraduate 
discipline across the board. Most all of the 
people that take or get a B.S. in industrial 
engineering will take a course in system 
safety engineering as it is offered. 

MR. GROSE: Gene I don't know if you care 
to respond to this or not, are you aware of 
any activities at USC where they have tried to 
introduce this? 

EUGENE HOLT: I don’t think that is nec- 
essarily a good idea. Outside of a system 
safety curriculum or a safety program, the 
only way to incorporate system safety engi- 
neering into EE or ME courses, I think would 
be in each basic course and that would be 
rather hard to do. 1 think because of the basic 
structure of universities and the way currlcu- 
lums are established, etc, it would be hard to 
do that. It is a good idea but at present it is 
not workable I am afraid. 

JACK MANSFIELD (GWU): It is about the 
same answer you Just got from Gene Holt. 
This was discussed very recently at a system 
safety society meeting here in Washington. As 
a matter of how to get this into an undergrad- 
uate, should something be put in. I think it will 
not come by the university taking the initiative 


on it. If it comes it is going to be by societies 
or conferences or things making recommen- 
dations and putting a little pressure on uni- 
versities to get something like this as a part 
of some undergraduate course. I don't think a 
complete course itself would be of value be- 
cause it would be an elective almost certainly 
and would not cover a great many people. 
A portion of a few hours of this type of thing 
in some other undergraduate course would be 
an effective thing at least as a beginning and 
as I say it is going to have to come from pres- 
sure outside. 

GEORGE CRANSTON: I have a question 
that is related to the one that was just asked. 
I want to put it in a little different way I think. 
We have been told by the educators this morn- 
ing that we do not have a philosophy of system 
safety or asking us if we have a philosophy of 
system safety - that is a legitimate question, 
but I want to turn the question around after 
what I have heard and ask them if they have a 
philosophy of education in our university sys- 
tem and the reason I ask this, from what I have 
heard it appears that every course is amecial 
course started to meet some special need of 
some special organization. What we have 
heard today is the philosophy of that particular 
course to meet that need, but we have not 
heard a philosophy about how do we educate 
people generally in this field, 

ANSWER; I think to the rommon layman it 
would seem an easier task than it really is to 
break through the structures at universities. 
You have to understand the curriculum com- 
mittees to start with. University curriculum 
committees are a very strange kind of thing. 
You approach them with a new idea, no matter 
how firmly and strongly you believe in it you 
have to convince them and sometimes they 
are very hard to convince. It is very true, 
Mr. Cranston, that these are special Interest 
kind of courses that we have discussed this 
morning and unfortunately, that is the level 
we are at right now. I agree with y>u, we need 
to do something about that and to motivate. 
I think maybe an aroused' and intelligent public 
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will do that. Societies will do that if we will 
continue to motivate people, it might happen. 

MR. GROSE; I think you can leave that 
one open, George, as a rhetorical question. 

DR. BALL: This is a comment related to 
the last question and then a direct question. 
A couple of weeks ago the National Academy 
of Engineering held a two day conference on 
consumer products. Dr. Carl Clark will be 
speaking on this subject tomorrow and this 
first workshop was on safety. One of the rec- 
ommendations that came out of that workshop 
had to do with the education of the people who 
are designing and will be designing consumer 
products such as mowing machines, bicycles, 
etc. It seems to me that the essence is to 
teach the design decision-making process. 
I think it is quite impractical for every aspect 
of design decision-making to be taught in a 
separate course so my comment would be that 
there is a tremendous need in the consumer 
products area, that the essence i3 to teach the 
design decision process, to teach the design 
and to take into account all aspects of design 
decision-making including the safety. My ques- 
tion would be to what extent are you teaching 
the design decision process, have you in- 
cluded safety in this area, not as a special 
course, not as an option, but simply as an 
inherent and integral part in the design deci- 
sion process? 

ANSWER: In fairness I think to that ques- 
tion, those present here today are not in the 
decision making position in the university in 
order to do that. I think it is one of those 
things that we are obliged to do though from a 
professional point of view, to urge that this be 
done inside university structures. It suffers 
from all the ills of any bureaucracy I'm sure 
and it only responds very lethargically to any 
impulse that comes from society, and I think 
It Is one of those things that conferences like 
this are essential in proposing as well as 
professional societies and other people like 
Ralph Nader. Mr. Nader even has his own way 
of making himself known but the point is that 
I agree with what you say, Les, that the 
decision-making process is sufficiently broad 
that we cannot afford specialized courses. 
We do need to focus one more time because 
the university process has been one of division 


and separating it to specialties when in ac- 
tuality I’m sure we need an integrated type of 
teaching in the universities. 

JERRY LEDERER; I have three different 
comments. First of all, about ten years ago 
I got the Deans of some of the countries fore- 
most engineering schools together to discuss 
putting into the curriculars some safety and 
especially human factors and I was told that 
there just isn't time. Some universities such 
as Cornell had increased their engineering 
course to 5 years to put in humanities as they 
thought the students should have something on 
humanities. They had gotten to the point where 
they are giving them almost entirely engineer- 
ing. There isn't time, they said, to do this. 
I would think that at least they could give a 
couple of electives per semester to get the 
students thinking about this. The second thing 
is that we have heard all through this confer- 
ence that it is the executive who makes the 
decisions, the businessman. How many uni- 
versities, if any, have a lecture or two lec- 
turers in their schools of business adminis- 
tration so that you can get the men who become 
the administrators to recognize there is such 
a problem. I wouldn't call it safety, I'd call it 
risk management, part of the management 
picture. The third item is in connection with 
the use of system safety for accident investi- 
gation. The idea was advanced that you could 
use those same logic diagrams to conduct the 
investigation. Also you can use the logic dia- 
grams that were involved in the design to help 
with the investigation. If you can go back to 
those logic diagrams, I would think it would 
facilitate the Investigation of an accident 
enormously in many cases, where structural 
problems are concerned or systems problems 
come up, failure of systems and things like 
that. 

QUESTION: I'm not sure that there is 
such a thing as a non-Government-related 
industry any more, but if there is such a thing, 
is there any indication that this side of in- 
dustry is accepting the concept of system 
safety as well as the educational side and 
providing opportunities in form of jobs and 
salaries that would lure the people from engi- 
neering into the system safety side of the 
house? 
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ANSWER: I'll respond f.nd I don't know of 
any. I would just simply 'jay this. I air rea- 
sonably certain that the recent emphasis on 
product reliability is causing the civil sector 
of the economy to respond to .he idea that 
there are risks that must be addre&3ed and 
our experience in our particular course is 
that the students attending from other than 
aerospace or milkary part of the economy say 
that there is a ground swell. It may not be 
great yet, but .t is perceptible and I think we 
are going to see increasing interest in that 
area. 

COMMENT: I have an observation, I re- 
cently read a report that the President of 
Honda Motor Company that makes the auto- 
mobiles in Japan has been accused of murder 
due to reported 16 or 17 deaths which sup- 
posedly are due to a design deficiency in the 
automobile. They are accusing the President 
of that Company of murder. Obviously, Japan 
has kind of a strange legal system but those 
kinds of activities might motivate the con- 
sumer product people to respond. 

JOHN FRENCH/MSC: I'd Uke to make one 
comment. In keeping abreast of system safety 
activities it would appear appropriate that you 
visit some of the NASA Centers. I'll speak for 
Manned Spacecraft Center specifically because 
we have been involved in system safety from 
a management and engineering technique 
standpoint. I would like to welcome any of you 
gentlemen to come down and discuss these 
things with us. 

C.O. MILLER; Vern, addressing the last 
two questions, I might mention a visitor we 
had ac the Board a couple of weeks ago. He 
was a Professor of Engineering from a Mid- 
west University. He had never heard of the 
term "System Safety" and frankly l don't 
really know what prompted his visit other 
than he said, "I've been worried that our 
people have been coming out of the engineer- 
ing schools without an appreciation for the 
hazards that can be designed into a program." 
I then broke into my standard three-hour lec- 
ture on 3ystem safety. The point is, I think 
there is an awareness, well outside the DoD 
environment on this particular problem as 
typified by this man. What I gained from it. 


and I would offer a challenge to not only you 
on the stage but the people in the audience, I 
wonder why we don't go back in our memories 
to our undergraduate days and say for example 
in aeronautical or say an aerodynamics course, 
how would we go back to our professor and 
say, where could you in this course, within its 
existing framework, introduce some thoughts 
about system safety? 

I submit that I could do this. I could go 
back in and talk to them about stall spin acci- 
dents and where in his course, just as he 
teaches it today, in an analytical sense or any 
of a number of other ways, he could come up 
and engender a feeling in this undergraduate 
that you ought to look at the hazards. I believe 
every single one of us, if we chose to, could 
go back into our own undergraduate field and 
introduce ideas like this but it is a monu- 
mental task. 

MR. GROSE: Do you have a practical way. 
Chuck, to suggest how this might be done. 
Should we all go back to our own schools as 
alumni? 

MR. MILLER; I think it would be a tre- 
mendous challenge to the system safety society 
to do just this on a local basis. 

MR. SHAW/TRW: One of the means ob- 
viously of broad education is availability of the 
literature. Most everyone in the engineering 
game recognizes it gets obsolete pretty quick 
and it is a habit of most of the brotherhood to 
read widely. Coupling that with the idea of the 
old academic principle of publish or perish, 
I'd like to raise the question, do my of you 
gentlemen know of texts a-ailab . ox being 
prepared at this time on the general subject 
of system safety? 

MR. GROSE: Willie Hammer who spoke 
Bsterday morning is writing a book about it, 
Willie's book, he tells me, is within 9 months 
of publication. I have reason to believe there 
are other books in the mill but I don't have 
dates. 

MR. HOLT: I would like to get a plug out 
of this. In collaboration with Mr. Richard L. 
Reeb, who is system safety manager of 
McDonnell-Douglas Astronautics in Huntington 
Beach, California, he and I, he is writing a 
management section and I am writing an engi- 
neering section, we're trying to write a book. 
We don't have any dates but we've got quite a 
few pages together now — it’s looking good. 
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COMMENT: I might add one thing too, Bill 
Rogers at TRW has one in preparation. I have 
no idea of the date there either. 

R. ALTGELT / EATON CORPORATION: I 
would like to know whether there is a science 
we might call safety economics that would say, 
to put it into example form, that one accident 
would take on the average one-man life and 
we could show that in the course of a year say 
X men's lives are taken by this typical acci- 
dent occurring, and we cc;..i show that it would 
take Y-men's lives of people who are working 
in factories to eliminate this or eliminate a 
percentage of this. So far I have been dodging 
the dollar aspects of it and I recognize a 
man's life snuffed out isn't the same as the 
man-life consumer in the shop to add another 
aspect, conceivably there would be some man- 
lives that wc iid be lost in industrial accidents 
producing this apparatus; but I'm wondering, 


then of course the insurance companies would 
come in and assign a dollar value to the man- 
lives and premiums that they have to put out 
and Industries could perhaps be faced with law 
suits, which could be assigned a dollar value. 
I'm wondering if there is a science that ap- 
proaches safety in this way, dollars loss 
versus dollars spent to prevent, or lives 
lost versus lives spent to prevent? 

ANSWER: I would think that all of our 
courses try to take this approach. Basically, 
we try to show the economics whether we are 
talking about designing a system or probably 
the specific course would be in our industrial 
safety-type courses where we talk about cost 
of accidents, accident elimination and budget- 
ing for safety. 1 think this is our philosophy 
inherent in all of our courses. It's the name 
of the game, really. 
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INTRODUCTION 

This paper is concerned with those re- 
quirement* for safety that are, or should be, 
part of the hierarchy of contractual relation- 
ships between government and prime con- 
tractors, prime ana subcontractors, and sub- 
contractors and vendors. 

Each of these interfaces involves the con- 
tractual sequence of 

1. Request for proposal (RFP's) 

2. Proposal documents 

3. Contractor selection 

4. Contractor performance measure- 
ment 

5. Fee adjudication 

Safety requirements are, or should be, a sig- 
nificant factor in all five of these aspects of 
the buyer-seller relationship. 

The National Aeronautics and Space Agency, 
the Department of Defense, and most aero- 
space prime contractors have already a surfeit 
of policy statements and general specifications 
that require that safety should be a significant 
factor in their contracting practices. The pur- 
pose of this paper is neither to add to nor to 
summarize these policy and specification re- 
quirements. Rather, our purpose is to invite 
attention to some of the ways in which tradi- 
tional contracting methods fail to give confi- 
dence in the achievement of safety and then to 
show how modern system engineering and 
system management techniques have pro- 
vided us with the means to overcome these 
shortcomings in our traditional contracting 
practices. 

OUTPUT CONTRACTING 

Let us start our discussion by recognizing 
two very popular sayings. These sayings have 
typified supplier attitudes ever since the birth 
of aerospace industry. They are "Tell me what 
you want, don't tell me what to do" and "Once 
the contract is signed, leave me alone until 
I am ready to deliver the product." Govern- 
ment documents use the term "disengagement 
policy" to describe this seller attitude to the 
buyer- seller relationship. Figure 1 "Condi- 
tions For Output Contracting" sets forth four 
conditions that muet exist if this type of rela- 
tionship is to be acceptable to the buyer. 


The term "Tangible Characteristics" will 
De used for those product characteristics that 
meet the first two conditions shown in Figure 1. 
For example, in the case of an automobile, 
top speed, miles per gallon, turning radius, 
and trunk capacity are tangible characteristics 
because they can be specified quantitatively and 
they can be demonstrated by quantitative test. 

The term "Intangible Characteristics" will 
be used for those product characteristics that 
either cannot be specified quantitatively or, 
if specified, cannot be measured within ac- 
ceptable cost and schedule constraints. In the 
case of an automobile, the intangible charac- 
teristics include safety and to some extent the 
characteristics of operational reliability and 
quality. In the case of a complex aerospace 
system, the intangible characteristics may 
include many other characteristics, such as 
electromagnetic compatibility or storage reli- 
ability. 

When all the essential characteristics of 
a product are tangible, output contracting is 
the prefered method of contracting from the 
point of view of both the buyer and the seller. 
Obviously this is so, because it minimizes 
the time and effort required by both parties to 
negotiate and to monitor the fulfillment of 
the contract. Hovever, even when all essen- 
tial characteristics are tangible, development 
risks may make the seller unwilling to forego 
payment until he has developed the new prod- 
uct and demonstrated that it meets all the 
specified characteristic requirement. For 
example, in the case of most missile and 
space systems, United States aerospace com- 
panies are neither willing nor able to forego 
payment until they have developed a new sys- 
tem, even if all the essential characteristics 
can be specified and demonstrated by test. 

Quite often in the aerc space industry, the 
customer is unable to meet the fourth con- 
dition shown in Figure 1. For example, in the 
case of the atomic bomb, the intercontinental 
ballistic missiles, or the Apollo space pro- 
gram, failure to meet all the essential produce 
characteristics within the defined develop*', »>:u 
time would have msam a national disaster. 

In summary, we may say that pure output 
contracting often Is unacceptable either because 
certain characteristics of a product are intan- 
gible or because eithex the seller or the buyer 


130 



cannot tolerate some of the risks that are 
inherent in developing a complex new product. 

INPUT CONTRACTING 

Let us ask, if it is not possible for a buyer 
and a seller to contract solely on the basis of 
defining and demonstrating the characteristics 
of the product, what then can be done. The only 
choice is for the buyer and the seller to sup- 
plement output contracting by defining the work 
that the seller will do and paying for the ac- 
complishment of this work. We will call this 
type of arrangement "input contracting." 

A precedent for input contracting was 
established long ago when the government 
contracted with universities for research. 
It is inherent in the nature of research that 
the product cannot be defined and certainly 
cannot be guaranteed. Consequently, the agree- 
ment between the buyer and the seller is for 
a defired effort which the seller will make in 
fulfil 1 ment of the contrac*. 

An oversimplification of input contracting 
would be to say that it consisted of negotiating 
program plans and monitoring the compliance 
with the execution of these plans as a condition 
for payment of the contract costs. 

CONTRACTING FOR SAFETY IN THE 1960'S 

During the 1960's, several relatively in- 
tanglbV- characteristics became of vital im- 
portance to the customer. Some of the most 
important of these characteristics were reli- 
ability, maintainability, safety, electromag- 
netic compatibility, and security. 

For each of these characteristics, an effort 
was made to apply the principles of output 
contracting. For example, several of us were 
Involved In helping develop the first Depart- 
ment of Defense policy on reliability. This 
policy oversimplified the problem of con- 
tracting for reliability by stating bluntly that 
quantitative values would be specified in all 
procurement contracts and that they would be 
demonstrated before the product was accepted 
by the government. By the time that contract- 
ing for the intercontinental ballistic missiles 
came along, it was recognized that output con- 
tracting was inadequate because condition 


three in Figure 1 was unacceptable to aero- 
space industry and that condition four was 
utterly unacceptable to the government agen- 
cies. Consequently, input contracting in the 
form of requirements for the negotiation, 
execution, and auditing of reliability program 
plans developed as a supplement to specifi- 
cation and demonstration of quantitative reli- 
ability values. 

In the case of safety, there were some 
initial effor > to apply output contracting by 
specifying accident probabilities and requiring 
demonstration of these probabilities by quanti- 
tative analysis. However, the limitations of 
this approach soon were recognized and during 
the 1960's, contracting for safety was domi- 
nated by requirements for safety program 
plans. These requirements did lead to the 
growth of a substantial system safety engi- 
neering profession. In this author's opinion, 
many of the members of this profession 
together with the program plans that tl-ey 
wrote and executed did achieve substantial 
good. However, a realistic assessment of the 
current situation must include the criticisms 
set forth in Figure 2 "Criticisms of Specialist 
program Plans." 

In genera), safety program plans are written 
by system safety specialist engineers in the 
contractor's organization to satisfy their pro- 
fessional colleagues in the government agency's 
organization. In the opinion of manv designers, 
the writing and execution of these program 
pluns has no real impact on their design deci- 
sions, and in the opinion of many program 
managers, these plans have no real Impact on 
their program management decisions. 

In the present atmosphere of severe cost 
reduction throughout the aerospace industry, 
all specialist engineering staffs are vulnerable. 
In particular, system safety staffs are being 
and must be reduced from the levels that 
existed in the late 1960's. 

A relatively new factor has been brought 
out within the National Aeronautics and Space 
Agency by the deliberations of the McCurdy 
Committee on procurement practices. Some 
members of this committee have pointed out 
that government specialist engineers, such 
as system safety engineers, tend to tell the 
competing contractors so exactly what they 
ree.dre in a program plan that the resulting 
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proposal documents are essentially identical. 
Consequently, a source evaluation board is not 
able to establish discriminators between com- 
peting contractors on the basis of their safety 
or other specialist engineering program plans. 

CONTRACTING FOR SAFETY IN THE 1970 . 

During the first sixteen months of the 
1970's, there has been a marked trend away 
from a multiplicity of specialist engineering 
program plans and toward the five basic func- 
tion program plans shown in Figure 3. Contin- 
uance of this trend will result in contracting 
for safety and other intangible characteristics 
being performed in a manner represented by 
Figure 4 "Safety Inputs To Contracting." Let 
us now use Figure 4 as a basis for discussing 
safety inputs into the five steps in contracting 
shown in the le # ' hand column. 

STEP 1 - REQUEST FOR PROPOSAL 

From the pomt of view of the system safety 
engineer, the essential elements of even the 
most voluminous request for proposal ire 
as follows; 

1. Product Speclficatlonr. which define 
quantitative requirements for the 
tangible characteristics and quali- 
tative requirements for the intangi- 
ble characteristics of the product 
which is to be developed. 

2. A Statement of Work delineating the 
development activities that the buyer 
considers must Le performed by 
ihe seller to give confidence in the 
achievement of both the required 
tangibles and the required intangible 
characteristics. 

3. Proposal Data List delineating the 
development program planning data 
that all the sellers must submit to 
support the source evaluation and 
contractor select' . processes. 

4 . Performance Measurement Data Lis: 
delLieating the development program 
control data that the successful con- 
tractor must submit during the exe- 
cution of the contract. 

Item 1 in this list corresponds with the 
Product Specification column in Figure 4 . 


Items 2, 3, and 4 correspond with the five 
Basic Program Plans columns shown in Fig- 
ure 4. 

Safety inputs to the product specification 
inevitably include a motherhood type statement 
that safety must be a primary consideration in 
design. However, these inputs can include quite 
specific requirements such as control of mate- 
rials rian.mability, or the use of redundancy 
to control -ingle point failures for catastrophic 
hazards. Design practices criteria, in the form 
of checklists based on e:.pcrience retention, 
are applicable to assuring the adequacy of 
safety enf..inee:dng inputs into the Product 
Specification segment of the request for pro- 
posal. 

The Program Management Plar should be 
written by the contractor's program manager. 
It should be a first person description of how 
he will use his authority and his program 
management techniques to assure achieve- 
ment of all the product characteristics Bet 
forth in the Product Specification. Specifically , 
it should describe how he will make use of 
specialist engineers to help assure that design 
decisions are rigr.t the Hist time and also to 
assure that design errors are detected and 
corrected a; the .mi I lest possible time. For 
example, i f should discuss the role of safety 
analysis in guiding aeslgn decisions and par- 
ticipation ot safety engineers in design revie 
and development failure or.alyses. 

fh:. Manufacturing Plan should be written 
by the contractor’s manufacturing manager. 
It should include descriptions of how he will 
assure achievement of ooerational safety in 
the factory and how he will use pe pie ruch as 
manufacturing planners and quality engineers 
to support hazard identification and hazard 
control. 

The Support and Use Plan should be simi- 
lar to the Manufacturing Plan in that it also 
should desc The how the support manager will 
assure operational safety and how hie quality 
assurance engineers will contribute to hazard 
control. 

The Integrated Test Plan should bring 
together Ip one document an acccunt of devel- 
opment testing, design verification testing, 
receiving inspection testing, manufacturing 
check testing, quality acceptance testing, and 
so on through operational checkout testing. 
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It should include descriptions of how appro- 
priate supervisors will assure both the safety 
of the personnel conducting the test and pro- 
tection of the operation equipment from the 
stresses that may be imposed during testing. 

STEP 2 - PROPOSAL DOCUMENTS 

The same safety criteria, set forth in 
checklist form, which the buyer requires for 
writing the request for proposal, are needed 
by the seller for responding to these require- 
ments with his Proposal Documents. The 
specification segments of his proposal should 
show how the design that he intends to develop 
will be capable of achieving all the require- 
ments including the safety requirements. 

The program plan segments of the seller's 
proposal should first describe the resources 
that he has available for performance of those 
critical activities that are either set forth in 
the request for proposal or proposed by the 
seller himself. In this context, the term 
"resources" includes the procedures, such as 
safety analysis procedures, the supporting 
data, and the available qualified people, such 
as professional safety engineers. The seller's 
Program Management Plan should show how 
his development program organization will 
facilitate communication between specialist 
engineers, such as safety engineers, and the 
design and program decision makers. Each of 
the other program plans should deal with haz- 
ard identification and control activities that 
are appropriate to the basic function covered 
by the plan. 

STEP 3 - CONTRACTOR SELECTION 

Let us distinguish between two extreme 
cases. In the first case, the buyer has told 
the seller in the request for proposal pro 
cisely what he wants done in each area, such 
as the system safety area. This means that 
the buyer has identified all the critical activ- 
ities that he wants to be performed during the 
development program. In this case, the only 
basis for contractor selection is to evaluate 
the potential effectiveness of the resources 
that the seller is offering relative to each 
critical activity. This type of request for pro- 
posal has been a major cause of the fifth 
criticism shown in Figure 2. 


In the other extreme case, the buyer has 
not told the seller what critical activities 
he wants to be performed; however, he has 
asked the seller to propose such activities. 
For example, he may ask the seller to propose 
such activities. For example, he may ask the 
seller "What has been your experience in 
regard to the achievement of system safety? 
What activities do you propose to perform?" 
In this case, the source evaluation process 
must give credit to the seller’s identification 
of appropriate critical activities as well as to 
the resources that he proposes to put to work 
to accomplish these activities. 

STEP 4 - PERFORMANCE MEASUREMENT 

For the tangible characteristics, perform- 
ance measurement is dominated by qualifi- 
cation testing and system testing. These tests 
demonstrate that the quantitative values re- 
quired by the product specification have been 
achieved by the seller's design. 

In the case of safety and other intangible 
characteristics, quantitative performance 
measurement is almost meaningless. Conse- 
quently, criteria must be established for eval- 
uating the performance of the critical activi- 
ties set forth in the five basic program plans. 
The key to accomplishing this objective is 
illustrated by Figure 5. Modern system man- 
agement requires that all the work to be ac- 
complished during a development contract be 
related to a single Work Breakdown Structure. 
Cost Accounts are formed by matrixing the 
work breakdown structure with the contrac- 
tor's organization units. Work Packages may 
be formed in several logical manners. This 
chart illustrates the formation of work pack- 
ages by dividing the work to be done by a par- 
ticular organization on a particular work 
breakdown structure item into short duration 
packages. 

The vital management requirement illus- 
Uaicu by Figure 5 is that critical activities, 
such as safety analyses, must be specifically 
required and scheduled and funded by their in- 
clusion in the Work Package Work Description. 
Also, satisfactory completion of the critical 
activities must be provided for by inclusion of 
tangile criteria in the Work Package Closeout 
Criteria. For example, such criteria must be 
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established for the accomplishment of each 
type of hazard identification analysis and for 
each type of hazard control activity. 

STEP 5 - FEE ADJUDICATION 

From the point of view of the customer’s 
system safety manager, the award fee type of 
contract is by far the most attractive. This type 
of contract provides incentive for the buyer 
and the seller to agree on what should be done 
during each award fee period of, say, six 
months. If the total award fee is to be in the 
range from two to fifteen percent, it is rea- 
sonable to assign, say, one-half of one percent 
to the accomplishment of the safety program. 
It is this tie-in between the performance of 
safety activities and award fees that provides 
the best hope for full exploitation of the skills, 


knowledge, and techniques of the professional 
system safety engineering during the 1970 
decade. 

SUMMARY 

In summary, the safety contracting meth- 
odology of the 1960's was dominated by indi- 
vidual safety program plans together with 
a need for large and expensive system safety 
staffs to prepare, execute, and audit the exe- 
cution of these plans. During the 1970's, there 
is a rapid trend toward the absorption of sys- 
tem safety disciplines into the five basic func- 
tion program plans. The contracting practices 
of both the buyer and the seller should reflect 
and encourage this trend. In particular, the 
award fee principle should be used to provide 
confidence that system safety technology will 
be fully exploited during the 1970's. 
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FOREWORD 


,/\s part of, the Second NASA Government- Industry System Safety Con- 
ference, this paper was prepared to inventory the development and fea- 
tures of the currently best known system safety requirements document, 
MlL-STD-882, "System Safety Program tor Systems and Associated Sub- 
systems and Equipment...," dated July 15, 1969. NASA officials requested 
me to prepare it and, although I have not been in mainstream Department 
of Defense (DOD) efforts to implement the standard recently, I was in 
in active advisory capacity to DOD during the Standard’s formulation and, 
indeed, its predecessors, the MIL-S-38130 series. Presumably, this would 
provide a degree of objectivity at least in assessing the successes - and 
failures - of the Standard thus far. 

Unfortunately, this is pot necessarily the case. 1 remain biased! I firmly 
believe there is a need within the management work structure of any rea- 
sonably complex system for a defined and implemented system safety 
program. The "whys" of this need have been chronicled elsewhere by 
others as well as myself. In any case, some implementing process is 
required. 

Asa result, this paper merely reiterates certain development history 
of MIL-STD-882 and attempts to spell out the role of the Standard through, 
among other ways, identifying its norms,, its strengths, and its weaknesses. 
Further, of course, there are some considerations for the future. 

This paper is not to be construed as representing an official position of 
the National Transportation Safety Board although the record has clearly 
shown the Board's endorsement of the system safety concept. 


C. O. Miller 



REQUIREMENTS FOR SYSTEM SAFETY PROGRAMS AS DELINEATED 

BY MIL -STD-882 


EVOLUTION OF SYSTEM SAFETY PROGRAM 
REQUIREMENTS 

In January 1946, Amos L. Wood of the 
Boeing Company presented an Institute of 
Aeronautical Sciences (IAS) paper regarding 
a recommended air safety program for air- 
craft manufacturers. He emphasis "continuous 
focus of safety in design... advance analysis 
and post accident analysis... accident preven- 
tive design to minimize personnel error... 
safety work, most effective when it is not 
fettered by administrative organizational 
pitfalls." (1)* 

In February 1948, William I. Stieglitz 
wrote; 

"Safety must be designed and built into 
airp anes, just as are performance, sta- 
bility and structural integrity... Every 
engineer cannot be expected to be as 
thoroughly familiar with all the devel- 
opments in the field of safety anymore 
than he can be expected to be an expert 
aerodynamicist... (thus) A safety group 
must be just as important a part of a 
manufacturer's organization as a stress, 
aerodynamics, or weights group... 
(although) A safety* program can be or- 
ganized in numerous ways and there is 
probably no one best way." (2) 

While the obscurations inherent in history 
preclude totally accurate revelation of who 
said what to whom first, these quotations 
represent the two earliest statements of what 
can be considered the cornerstone system 
safety principle. Namely, that at some level 
of system complexity, management is most 
effective and efficient if it were to require 
a specialized approach to safety as well as 
safety being simply everyone's Job, 

That this has come to pass 1 b not a matter 
of argument, it is a matter of record. (3) The 
military services Implemented this philosophy 
in their operational segments in the early 
1950's. In this same time frame, many air- 


•Number in parentbenses refer to reference* noted at 
end of paper. 


craft manufacturers established flight safety 
engineering groups (and without government 
requirements!). The aircraft complexity bar- 
rier was being faced and a number of llity 
functions were being called upon to supplement 
heretofore normal management division of 
work to provide a functional, economical, 
reliable, maintainable, available and suffi- 
ciently safe system so that a mission could 
indeed be performed. 

Then, in oozed systems management. This 
not only called for a life cycle look and a 
better description of what comprised a system, 
but it produced a plethora of contractural 
documents.** Missile and space vehicle devel- 
opment in the late 1950’s required this ap- 
proach not only because of the aforementioned 
complexity problem being carried over and 
amplified from aircraft development, but also 
the loss of a single vehicle became an eco- 
nomic and mission degradation that simply 
would not tolerate less than an all out accident 
prevention effort. And the mood of the times 
dictated more clearly defined documentation 
during the engineering phases, including safety 
programming, as it ' had been Implemented 
a dccase earlier in the aviation operational 
world.*** 

Highlights of such specification predeces- 
sors to MIL-STD-882 are summarized below; 

MIL-S-23069 (WEP) "Safety Requirements, 
Minimum, for Air Launched Guided Missiles" 
October 31, 1961 

This oft forgotten document broadly 
Identified life cycle requirements for 
a system safety program. Its imple- 
mentation, however, was minimal, at 


**An interesting analogy 1* possible here. ' 'Plethorm" 
is defined in the medical sense as "a disease caused by 
an excess of red corpuscles in the blood or an Increase 
in the quantity of blood in the body." This led one writer 
to observe" a person In plethora (Is) dying from too 
much health" (Sheridan as quoted In the World Book 
Encyclopedia Dictionary, 1963), Consider the "health" of 
the aerospace Industry today M too much documen- 
tation??? 

•••It has also been argued, perhaps not too facetiously, 
that in missiles, you no longer have a pilot to blame for 
the vehicle's loss, so why not go further upstream to the 
system's design? 
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least at its beginning. The Navy organi- 
zation then, as now, was not conducive 
to life cycle system safety implemen- 
tation efforts. 

BSD Exhibit 62-41 "System Safety Engi- 
neering: Military Specification for the Devel- 
opment of Air Force Ballistic Missiles" 
June 1962 

This USAF Ballistic Systems Division 
document was noteworthy on several 
counts. First, it was the initial defini- 
tive system safety specification that 
was implemented in major aerospace 
programs. Almost of equal significance, 
it was the first time such an engineer- 
ing effort received the unqualified sup- 
port of the head of the procuring agency 
who literally directed BSD contractor 
management personnel to get with the 
program, so to speak, or forget doing 
business with BSD. (4) 

MIL-S-38130 (USAF) "General Require- 
ments for Safety Engineering of Systems and 
Equipment" September 1963 

Actually, Commander Donald Layton 
USN made major attempts to translate 
BSD Exhibit 62-41 into a broader based 
system safety engineering specification 
applicable to all DOD aerospace sys- 
tems. However, he encountered in-house 
resistance by the BuWeps Industry Mate- 
rial Reliability Board which preferred 
to wait for a broader program that 
would encompass safety, reliability, 
maintainability and other similar re- 
quirements under one heading. (5) Con- 
currently, Lt. Col. James McConnel. of 
the USAF Systems Command Headquar- 
ters aggressively shepherded the docu- 
ment through Air Force channels as 
a cleaned-up version of BSD 62-41. 
What it contained was basically four 
requirements*. 

(1) A safety management program 

(2) Criteria to produce a reasonable 
level of safety 

(3) Hazard analysis 

(4) Program milestone reporting 
MIL-S- 58077 (MO) "Safety Engineering of 

Aircraft Systems, Associated Subsystems and 
Equipment; General Requirements for" June 30, 
1964 


This Army specification was a virtual 
verbatim issuance of MIL-S-38130. 
Interestingly enough, the Army was the 
first service to apply its specification 
to a new aircraft program, the Armed 
Aerial Fire Support System (AAFSS). 
(6) 

MIL-S- 38 130 A (DOD) "System Safety Engi- 
neering of Systems and Associated Subsys- 
tems, and Equipment, General Requirements" 
June 6, 1966 

In the 1964-5 time period the Air Force 
Systems Command (AFSC) continued 
leadership in system safety by not only 
requesting an updating of MIL-S-38130, 
but also developing a System Safety 
management guide and a System Safety 
design handbook (ultimately published 
as References 7 & 8). Concurrently, 
a decision was made to implement the 
system safety approach DOD-wide as 
part of a continuing program of inter- 
service standardization of requirements 
documentation. (9) AFSC was named 
Office of Primary Responsibility (OPR) 
for the task. The result was MIL-S- 
38130A (DOD). It subsequently was intro- 
duced into many programs both new and 
underway. 

At this point the reader might ask "why 
all this discussion on the history of system 
safety and particularly the specification and 
current standard development?" The answer 
is so simple as to often be overlooked by the 
newcomer to system safety and MIL-STD-882. 
There is a decade or two of specific tech- 
nological and managerial experience that has 
shaped MIL-STD-882 , time which has demon- 
strated the need for such a programmed 
approach, time which has seen senseless waste 
of men and other resources that could have 
been avoided by an improved systems approach 
to safety. 

Does this mean MIL-STD-882 is a model 
document? Far from lt as will be discussed 
subsequently. It simply means some very 
astute and high ranking management types, 
both inside and outside the government, had 
fully adopted the system safety principle by 
the time the decision was made to go to a 
"standard." Indeed, the combined talents of 
many people offered a check and balance into 
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what had preceded the standard and what got 
into the standard itself.* 

MIL-STD-882... ITS CHARACTERISTICS 

Like any Military Standard, MIL-STD-882 
must be considered as the uniquely defined 
type of document that it is. For example, a 
Military Standard does not connote the precise- 
ness of every yardstick being 36 inches long. 
Nor does it connote some minimum acceptable 
level of performance as is generally the case 
with "standards" issued by the Federal Aviation 
Administration. A standard is, by DOD defi- 
nition, as follows: 

"A document that establishes engineer- 
ing and technical limitations and appli- 
cations for items, materials, processes, 
methods, designs, and engineering prac- 
tices. (10) 

Engineering standards, further, are "docu- 
ments created primarily to serve the needs 
of designers and to control variety... define 
terms, establish codes and document prac- 
tices, procedures and items selected as stand- 
ard for design, engineering, and supply man- 
agement operations." (11) 

Military standards are not to be used as 
the direct medium for Imposing administrative 
requirements on contractors. Rather, stand- 
ards function in procurement through the 
medium of specifications. (12) Specifications 
are in turn defined as: 

"A document intended primarily for use 
in procurement, which clearly and ac- 
curately describes the essential tech- 
nical requirements for items, materials, 
and services Including the procedure's 
by which it will be determined that the 
requirements have been met." (10) 


*Not to be forgotten In this entire discussion ere other 
events in the evolution of system safety such as the 
direction of the concept Into the SST program by the FAA 
In 1965, the Apollo 204 fire that launched NASA into 
system safety, the National Transportation Safety Board's 
recommendations regarding system safety In surface 

modes of transportation, etc. While not directly bearing 
on MIL-STD-882, these non-DOD developments In sys- 
tem safety are further testimony of the acceptance of 
system safety principles. 


Accordingly, MIL-STD-882 is more a guide 
than a directive at least until program man- 
agement decides to follow it. Then it becomes 
a matter of further delineation, through speci- 
fications or otherwise, to implement a specific 
program tailored to the system under con- 
sideration including where that system is in 
its life cycle. 

To he more precise in what MIL-STD-882 
comprises, consider it in two wcjs: first, 
the problems inherent in MIL-S-38i:<>A which 
were corrected and, second, what are the 
Standard's basic features.** 

During its application, MIL-S-38130A was 
revealed to be limited if not dificientinthat it: 

(1) Did not adequately define terms neces- 
sary for its understanding. 

(2) Was limited to the engineering phase of 
the life cycle only thus negating optimum 
effectiveness of total system safety 
management practices. 

(3) Entailed excessive emphasis on the 
analytic process to the exclusion of 
other tasks. 

(4) Produced further confusion between 
safety and reliability engineering efforts 
particularly because of a failure to 
delineate between the two in the analytic 
process. 

(5) Failed to acknowledge the role of train- 
ing in the accident prevention process. 

(6) Failed to provide for safety data com- 
munication and interchange between the 
customer and contractor and within 
the customer's own organizational seg- 
ments. 

(7) Failed to provide for a safe and ac- 
ceptable disposal of equipment and mate- 
rial at the completion of their use- 
fulness. 


••it can be argued that MIL-S-38130A waa neither epe- 
dfic enough aa a (pacification nor siifleiently encom- 
passing as a standard. Another reason for establishing 
the standard was the desirability to place In the docu- 
mentation hierarchy a top document under which vari- 
ous detail system safety specifications could develop 
logically. 
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As will become apparent in a moment, 
these shortcomings were corrected for the 
most part in the published MIL-STD-882. 

Like all military standards, of course, 
MIL-STD-882 is couched in governmentese 
language. However, when all the confusion 
factors are eliminated, what the document 
really says is this; 

(1) It tells why the standard is in existence, 
i.e., to provide for a system life cycle 
program for safety with the planning 
function being used as the overview 
control document. Observe this goes 
well beyond engineering per se... a fact 
often not recognized by the casual 
student in the field. 

(2) It defines terms which, in their finality, 
look simple. In actual fact, however, 
they bear careful stuay. The nuances 
existent in the use of the word system 
(rather then systems) or the need to 
distinguish between different levels of 
contractors are but examples of where 
meanings must be fully appreciated 
before many other parts of the standard 
fall into place. 

(3) It provides requirements within con- 
straints present in any "standard" type 
document as discussed earlier. These 
include: 

a. A System Safety Program Plan 
(SSPP). 

b. Specific tasks in different phases of 
the life cycle. 

c. An explanation of what safety organi- 
zation is present to implement the 
program. 

d. Milestone and program review 
points. 

e. Detail consideration of hazards and 
the analysis thereof, to Include cor- 
rective action or control processes 
available. 

f. Safety data production and inter- 
change. 

g. Testing considerations, both in veri- 
fication of given safety performance 
and Insuring test programs being 
performed safely. 

h. Training program inputs. 

1. Special consideration of ground stor- 
age and handling problems including 
system close-out requirements. 


(4) It provides, albeit brief, a relationship 
to associated disciplines, particularly 
to system engineering. 

In addition, the sample System Safety Pro- 
gram Outline (Appendix A to the Standard) 
infers other tasks that might be expected 
within the scope of an SSPP, e.g., accident 
investigation planning and procedures, audit 
programs, establishment of system safety 
groups, etc. 

In summary, MIL-STD-882 is a document 
which says "You ought to consider a system 
safety program, plan for it, and here are some 
of the prime considerations when you do.” 
It is the basis for good dialogue with manage- 
ment when they face their difficult decisions 
about safety. It is the system safety practi- 
tioner in his relationship to management what 
the blueprint is to the designer in his relation 
with his management or with the manufacturing 
department. 

A long-time colleague, Vernon L. Grose, 
also put it succinctly tnls way: 

"A System Safety Program Plan is a mech- 
anism to translate a generalized standard 
into a language that management under- 
stands in terms of cost, performance, and 
schedule." (13) 

Enough said for the objectives and good 
points. What about the problems with MIL- 
STD-882? And it does have some, or at least 
the system trying to use it does! 

MIL-STD-882 ... ITS PROBLEMS 

Without attempting any rank order listing, 
let us consider various adverse comments 
involving MIL-STD-882 derived from a number 
of personal interviews and a review of a par- 
ticularly critical analysis of the standard 
appearing in the Journal of Quality Technology, 
October 1970. (14) Before proceeding, however, 
it is of Interest to note that as of May 1, 1971, 
the OPR for the Standard, AFSC Hdq (IGFS) 
bad not received a single written criticism 
as requested routinely in all standard docu- 
ments and appended to each release (DD Form 
1426). This followed, among other communi- 
cations, s specific request for such com- 
ments at the USA F- sponsored System Safety 
Conference in Las Vegas, February 1969. 

Nevertheless, listed below are the problems 
encountered and personal editorial-type views 
of this author noted under "Comment." 
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1. The Standard is too confusing... is not 
easily understood. 

Comment : Perhaps cue; however, a 
standard in safety cannot be expected 
to be understood or appreciated by per- 
sons not well versed in the field any 
more than a power plants engineer could 
be expected to fully comprehend a 
standard in electromagnetic radiation. 
In other words, one should know the 
business before trying to criticize it! 
Still, the challenge remains to put the 
Standard in words a broader-based 
population can grasp. 

2. There are minimal numbers of trained 
and/or experienced personnel in the 
system safety field and unfortunately 
non-qualificd engineers are often as- 
signed to system safety tasks both at 
the contractor or at the procuring 
agency. 

Commen t: A very valid point and one 
closely allied with the previous item. 
The solution rests not only with more 
and better system safety literature and 
training, but also with continued pro- 
fessionalism by those in the field. 
Further, the pseudo safety expert, (who) 
got that way because his boss merely 
told him to put on a system safety hat) 
must be recognized and exposed for 
what he is. 

3. Each program must have a safety effort 
delineated for its own peculiar needs. 
Comment ; That's correct and as it 
should be, a 1 belt more ingenuity and 
hard work may be involved than to 
simply follow MIL-STD-882 in check- 
list fashion. But, since when do we 
accomplish progress in our aerospace 
field "by the numbers" or, even more 
Importantly these days, do it within 
reasonable economic limits without 
ingenuity and hard work? 

4. The Standard or other documents do not 
relate system safety to otner disciplines. 
Con-me at: Another valid point, although 
the place for such delineation probably 
does not belong in MIL-STD-882 but 
rather in something like MIL-STD-499, 
"Mbltary Standard, System Engineering 
Miuag'-ment." (MIL-STD-499 is only 
under trial use today by the USAF.) 


In any case, the distinctions have been 
made in various contributions to the 
technical literature. 

5. Duplication of efforts "ilities" or be- 
tween system safety efforts and design- 
ers is encouraged by MIL-STD-G82. 
Comment ; Even discounting the fact 
thct planned duplication of some effo: t 
(e.g. critical hazard analyses) may often 
be a wise management technique, the 
problem suggested here has arisen. 
It does so because contractor and/or 
customer organizational segments have 
parochial ii. rerests which preclude co- 
operation between different organiza- 
tional segments. Or, as covered more 
in the next item, the documentation 
requirements are conducive m .iparate 
reporting. 

6. Information is developed for contract 
satisfaction rather than for use at the 
time of its inception or downstream. 
Comment: This may well tie in with 
the people experience problem described 
earder but in any case is considered by 
many to be the principal problem asso- 
ciated with MIL-STD-882. For example, 
if timing of hazard analyses are not 
predicated upon their contributing to 
the design or their output does not tell 
a usable story to downs' .'‘am personnel, 
what really has been accomplished? 
Answer: A paper exercise ... and it has 
happened. 

7. In contractural arrangements with some 
parts of DOD a single integrating con- 
tractor is not designated thus, making 
system safety integration a bureau- 
cratic nightmare. 

Comment ; * serious problem; As to 
Just how senous, the DOD agencies can 
only answer for themselves. 

8. Implementation of a total life cycle 
system safety program within most 
military organizational structures is 
difficult because of excessive admin- 
istrative barriers between development 
and using commands. The arsenal ap- 
proach simply does not provide for 
a life cycle approach to anything includ- 
ing safety. 

Comment : This has been a long stand- 
ing problem which can be overcome to 
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some degree by formation of a strong 
system safety group early in the pro- 
gram and not letting it become degraded 
with time. This would seem to be 
dependent upon the ir^tiafive of oper- 
ating command personnel even more 
than those at the development end of 
the spectrum. 

9. System safety cannot be quantified and, 
therefo re, the hazard analyses can never 
become a part of management's prime 
effort in maintaining a high benefit to 
cost ratio for its efforts. 

Comment : This myth continues to sur- 
face periodically but fortunately aero- 
space technology has seemed to come 
around to the real world pleaded for on 
this subject by system safety types for 
many years. Witness DOD Instruction 
7041.3, ’’Economic Analysis of Depart- 
ment of Defense Investments,” which 
states "An economic analysis is not 
required ... when it can be shown that 
an analysis would not... result in in- 
creased decision effectiveness.” (15) 
Actually, the principal contribution of 
hazard analysis is to make people think 
before the accident instead of after- 
wards not the paper result. 

10. System safety costing difficulties are 
continuing. No one seems to have found 
an adequate formula for what should be 
a direct charge, vis a vis an overhead 
charge, for system safety. Further, all 
too often, unqualified people at the 
negotiating table are discussing safety- 
generated work items. 

Comment; Once again, an old problem 
but one that is faced by anyone oper- 
ating at the marketplace today. Resolu- 
tion would seem best achieved when 
solution to the next item listed is 
forthcoming. 

11. Safety tasks suggested byMIL-STD-882 
are not definitive enough. 

Comment : This would seem to be a 
valid criticism and will remain so until 
more "how-to-do-it" technology is doc- 
umented and understood by all. The 
design safety handbooks on hand and/or 
underway by some of the services are 
a major step in this direction. However, 
as indicated earlier system safety tasks 


are not uniquely those associated with 
design, and the total collection of such 
material In text form ie still on the 
distant horizon. 

12. The feedback loop to system safety of 
a given system via the accident/incident 
Investigation process does not seem 
to be well established. 

Comment; As noted earlier, the outline 
SSPP acknowledges accid.nt/incident 
investigation as a part of the program. 
But what about an effective closing of 
the loop back tc the designer, the pro- 
duction man, the manager, etc., of the 
specific results of the investigation con- 
ducted by either the manufacturer or 
the customer? Is it really being done? 
Answer; No! 

13. The fear of litigation has not only re- 
stricted information interchange con- 
cerning accident/incident investigations 
(applies to 12 above) but also has in- 
hibited accomplishment and dissemina- 
tion of information associated with haz- 
ard analyses. 

Comment ; Sooner or later all firms and 
agencies will realize that a far greater 
risk is incurred concerning their possi- 
ble culpability if it can be shown they 
did not use state-of-the-art analytical 
techniques at their disposal when the 
product was designed, tested, or turned 
over to the operator. And such tech- 
niques can be described in courtrooms 
today by any number of qualified con- 
sultants. What exists today in this regard 
is the psychological roadblock in the 
minds of most technologists concerning 
anything related to legal proceedings. 

14. Several questions about the logic used 
involving the term "hazard": 

a. Why a "system safety hazard?" 
(Section 4.2.4 of MIL-STD-882) 
Comment : Does it mean a hazard 
to safety? 

b. A Category I hazard is called 
"Negligible," that Is, it will not 
result in personal injury or damage. 
Comment: The question remains if 
it won't cause injury or damage, 
how can it be called a hazard? 

c. The Category IV hazard is cf most 
concern. 



Comment: Number four out of how 
many? (Besides, it is the exact oppo- 
site numbering logic than that used 
by NASA, although at one time during 
discussion regarding the Standard, 
NASA's logic was the same. 

These comments regarding "hazard" 
approach the nit-picking category but 
are troublesome questions that could 
stand some editorial correction. 

Observe that some if not most of the basic 
problems described could be dismissed as 
being non-relevant to the Standard itself, and, 
in fact, simply described as faults of the 
system in which the Standard operates. But 
let us take a lesson from our own system 
safety methodology. If something has prob- 
lems, you do not just look at any single piece 
of the action to effect corrective measures. 
You also look at the interrelationships wher- 
ever they exist and try to make corrections 
wherever possible within existing fiscal and 
time constraints. In the end, then, your indi- 
vidual components start looking better as well 
as the total system performance. 

SUMMARY AND REMARKS 

System safety in general and MIL-STD-882 
in particular will not remain static since the 
overall aerospace business will not remain 
static. The emphasis placed on the evaluation 
phase of system procurement by DOD is one 
example of change being felt now. (16) Another 
is a programmed detailed review of MIL-STD- 
882 to be performed in the next few months by 
a committee representing the military services 
safety centers. 

It would seem that during these dynamics, 
it is encumbent upon the workers in system 
safety to continue their professionalism and 
dedication to the accident prevention task. 
Then, too, the system managers should try 
to be open-minded enough to try to under- 
stand the contribution that can be made by 
utilization of the principles outlined in MIL- 
STD-882 albeit they should not be satisfied 
unless they are convinced a system safety 
approach contributes positively to their mis- 
sion. This is something that can only be 
accomplished by their association with quali- 
fied people in the field. 

Of all the problems encountered in re- 
search for this paper, the item mostfrequently 


illuminated was the lack of appropriate people 
at the decision points where system safety 
was needed or used. This is not just a matter 
of education in the sense of people having a 
general association with the principles of 
system safety. It is also a matter of a better 
understanding of the "how-to's" of system 
safety... the specific safety tasks that must be 
delineated for a given program, man-loaded in 
the work allocation process, scheduled with 
the other work, and assessed as to their effec- 
tiveness by measures valid for the tasks that 
have been performed. 

Whoever said "Safety is a responsibility, 
not a task" was living in a philosophical dream 
world. (17) You do not achieve accident pre- 
vention by just appealing to people's ethical 
values, you get out and work using proven 
accident prevention techniques. In this regard, 
most of the educational programs in existence 
concerning system safety are just that, edu- 
cation rather than training. The sponsors 
cannot seem to afford to pay for or allocate 
the time of their people to have each task 
subject covered in depth. An exception to this 
might be thought of in terms of the Fault Tree 
analysis course at the University of Wash- 
ington. However, Fault Tree is just one analy- 
sis technique among dozens that might be used. 
There are many tasks besides analysis, and 
recognizing this, one begins to appreciate the 
magnitude of the job of training people in the 
system safety discipline, let alone educating 
those on the periphery. 

Appreciating the above problem, there 
becomes a need for more manuals and, yes, 
specifications, when the techniques are rea- 
sonably solidified. Another possibility would 
be a series of Aeronautical Recommended 
Practices (ARP's) by the Society of Auto- 
motive Engineers (SAE) or similar publi- 
cations by the EIA G-48 Committee.* In any 
case, the discipline must be documented in 
every expanding fashion with constantly im- 
proving professionalism if it is to compete in 
the marketplace for management's dollars. 

One thing is to have a MIL-STD, and even a 
series of explanatory directives such as AFSCM 
127— i, (7) or the Army’s AMCP 385-23. (18) 


‘Electronics Industries Association, System Safety 
Engineering Committee, G48, 
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It is quite another thing to have something 
quite specific to implement. 

Finally, as a major finding of this little 
study, a question is posed. Do we want paper 
or progress? All too often in the implemen- 
tation of MIL-S- 38130, MIL-S-38130A, and 
even MIL-STD-882 thus far, too many people 
seem to think the objective was to turn in 
a specified number of documents SO Ihai a box 
could be checked off for contract progress 
reports. A disproportionate amount of time 
has been spent figuring out the paper flow 
compared to expeditious resolution of the 
dirty details of what the paper contained. 
Fortunately for all of us, this "easy way out" 
has not always been the case and things are 
improving. Ask some of the aircraft manu- 
facturers of those weapon systems to which 
MIL-STD-882 has been applied. 

In conclusion, the two decades or so of 
effort leading up to MIL-STD-882 has not all 
been fun and games. Nor will the next two 
decades be such while we advance man's 
ability to control those forces of destruction 
that, in increasing fashion, he himself has 
created. But we will be working at it. 
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INTRODUCTION 

In any undertaking there is always a com- 
petition for resources. Decisions must be 
made for each expenditure of time and money. 
Functional and specialty groups compete for 
the funds necessary to do the best possible 
jobs within their specialty. 

No one gets all the money they want and 
each element of a total system, be it man- 
agement or technically oriented, must pre- 
pare the best possible argument for their 
position. Dedicated specialist groups are be- 
coming more sophisticated in their approach 
and have given up on the motherhood approach 
in favor of hard facts determined from de- 
tailed analyses. 

The system safety function is no different 
from other specialist groups in its need to 
compete for limited resources. Although man 
is inherently reluctant to settle for less than 
the ultimate in safety, a program manager is 
sooner or later faced with the decision as to 
how safe is safe enough. 

The combination of all specialist groups 
Inputs into a balanced program is essential. 
The systems engineering process is a method 
that defines the system and its functions, 
integrates the requirements of all of the sub- 
functions, sets priorities for funds and time 
to carry out the tasks and directs the com- 
bination of all engineering efforts to com- 
plete the program. By definition the system 
safety effort thereby becomes a part of the 
systems engineering process. 

The term systems engineering has been 
used to describe many different things. To 
properly respond to the title of this paper, a 
baseline description of systems engineering 
must be established since system safety is 
one of the subfuncttons in the systems engi- 
neering process. 

Although many of the elements of systems 
engineering had been applied before, the Air 
Force -375 (1) series of manuals in 1964 
focused attention to combining these elements 
into an engineering discipline. This series 
has now evolved into MIL-STD-499 (2), "Sys- 
tem Engineering Management," which is taken 
as the baseline description of the systems 
engineering process for the purpose of this 
paper. 


The government objectives in MIL-STo 
499 are: a) the efficient engineering definition 
of a complete system; and b) the efficient 
planning and control of the technical program 
for the design, development, test, and evalua- 
tion of the system. Contractors must provide 
a logical sequence of activities and decisions 
leading to the definition of the configuration, 
usage and support of the system and technical 
program for acquiring a system. The defini- 
tions established by systems engineering pro- 
vide the basis for the subfunctions to conduct 
their analyses and establish their require- 
ments on the system. This is an iterative 
process starting with the conceptual phase and 
extending through the life of the program. 
The subfunctions include but are not limited to 
the following: Design, Test, System Safety, 
Reliability, Logistics, Maintainability, Quality, 
Human Engineering, Configuration Control, 
Security Engineering, and Value Engineering. 
Other subfunctions may be added for specific 
programs. 

THE SYSTEMS ENGINEERING PROCESS 

The basic elements of the systems engi- 
neering process are given in Figure 1. De- 
tailed discussion of each of the systems 
engineering elements are included in MIL- 
STD-499 and will not be covered here. This 
paper will address itself to the information 
that system safety requires from systems 
engineering, and the information that system 
safety provides to other subfunctions of sys- 
tems engineering. 

MIL-STD-499 requires and defines the 
preparation of the systems engineering plan. 
It is recognized that this is essential to the 
proper planning and control of the systems 
engineering program. MIL-STD-882 (3) places 
a great emphasis on the system safety plan. 
It requires that one be prepai d for each 
Department of Defense Program. NASA NHB 
1700.1 - Vol. Ill (5) also specified that a 
system safety plan be prepared for each proj- 
ect or program. 

The proper preparation and integration of 
these two plans is of utmost importance. 
After they are approved by management they 
become the controlling documents for systems 
engineering and system safety. It is in the 
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system safety plan that the necessarily gen- 
eral requirements of a specification or pro- 
gram guide are merged with the specific needs 
of a particular program to define tasks and 
responsibilities to make a safety program 
live and breathe. 

SYSTEM SAFETY PROGRAM 

System safety has gone through many of 
the same growing pains as systems engi- 
neering. The need for improved product safety 
was recognized and the only way to assure it 
was to consider the entire system. The prob- 
lems of definition, purpose, scope, and charter 
of system safety were pounded into shape until 
there is now general acceptance of the system 
safety discipline. MlL-S-38130 was published 
and later revised to MIL-STD-882. That, 
combined with the NASA SPD-1 (4) and NHB 
1700.1 series, provides all of the baseline 
and direction necessary for a system safety 
program. Vem Grose offers a definition for 
system safety (6) that illustrates its per- 
vasiveness with the systems engineering 
process (see Figure 2). 

The successful and cost effective imple- 
mentation of the safety program requires 
information to be available or developed. The 
results of the safety analyses and other efforts 
must flow to other organizations to become 
useful. Figures 3-8 show a simplified flow of 
a typical system safety program. The sections 
that follow will discuss this flow of informa- 
tion, how it is used by system safety and how 
the rest of the systems engineering subfunc- 
tions are affected. 

The basic tasks of any system safety pro- 
gram can be grouped into four basic headings: 

1) the assembly of information and data; 

2) the analysis of that information and data to 
determine the hazards to the system and the 
probability of the hazards resulting in acci- 
dents; 3) the establishment of preventive 
measures through requirements and standards; 
and 4) a follow-up activity that assures the 
requirements and standards are Included in 
the design and operation of the syt. .em and 
that they are adequate, ideally, the tasks 
should be started at the conceptual phase and 
upgraded throughout the life cycle, through an 


iterative process, improving the system as 
more information becomes available. 

Information and Data (See Figure 9) 

It is obvious that no work can start until 
there is some kind of system description. 
This is the start of the systems engineering 
process and one of the most important ele- 
ments. The description must be as complete 
as the program phase allows; it must be pub- 
lished to all functional elements; it must be 
revised as necessary and all subfunctions 
must be kept aware of the revisions. This 
description must include the hardware, its 
intended use and the environment in which it 
is intended to operate. 

The initial system description allows sys- 
tem safety engineers to start to assemble 
experience retention information and data to 
prepare for the analyses and trade studies 
that may be needed. Information from past 
and current programs can provide the basis 
for the initial safety criteria and guidelines 
that should be provided to the systems engi- 
neers and designers. Range safety documents, 
government standards and codes and docu- 
ments such as the Air Force System Com- 
mand Handbook DH 1-6 (7) are sources for 
much of the initial information needed. The 
experience retention data accumulated by 
other subfuncrions should also be made avail- 
able in a data center to avoid duplication of 
materials. Reliability, maintainability and 
human factors experience data must also be 
considered by system safety. 

Preliminary system safety requirements 
can be established from this initial data. For 
example, ordnance design requirements are 
well established and can often be taken 
directly from past programs. The use of 
fuels and propellants may require ignition 
proofing or explosion proof equipments. 
Nuclear power sources require special shield- 
ing and handling. These and many other 
obvious requirements are provided to systems 
engineering to he Included in the systems 
requirements. It is also advisable to start a 
system safety requirements document that can 
be used as a checklist during design reviews, 
flight readiness reviews and audits. 
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System Safety Analyses (See Figure 10) 

The systems engineering inputs given on 
Figure 9 must be available to allow a com- 
plete and effective safety analysis. The sys- 
tem description, functional flows and time 
line analysis must be current and controlled 
by configuration control to assure that all 
subfunctions of systems engineering are con- 
sidering the same system. 

The system safety analyses must: a) iden- 
tify the hazardous elements, hazardous con- 
ditions and potential accidents that could 
occur; b) determine their potential effects on 
the system; c) determine the probability of 
their occurrence (qualitative or quantitative); 
and d) provide adequate detail to direct the 
corrective action necessary to control the 
hazards to an acceptable level. 

Mission goals and objectives must be con- 
sidered in the emphasis given to system 
safety. A much higher risk may have to be 
taken in a weapons system with a high priority 
for early use than would be acceptable on a 
manned space station. The system safety 
function, along with others in the systems 
engineering process, must identify levels as- 
sociated with trades against cost, weight, 
functional capabilities, and other system con- 
straints. 

The system requirements of other sub- 
functions must be known to system safety 
engineers so they can be considered in the 
safety analyses. More will be said of re- 
quirements later. The reliability, maintain- 
ability, logistics, and functional design re- 
quirements may conflict with the safety 
requirements. The safety analyses must show 
any conflict and provide enough detail to en- 
able corrective action to be taken. 

System safety has been critized for a great 
proliferation of analyses. As many as thirty- 
five different analyses have been listed. Some 
effort has been expended in attempts to stand- 
ardize on several specified analyses with 
little success. Standardization of an analysis 
method is not the proper approach at this 
time. Specification of an output resulting from 
a credible arialysls is appropriate. Some out- 
puts of system safety analyses are shown on 
Figure 10. The main inputs supplied to the 
systems engineering process are the safety 


requirements that must be imposed on the 
system to make it safe enough. 

The system description, functional flows 
and time line analyses provide the basis for 
the system safety analyst to identify the 
hazardous elements and conditions inherent 
in the system. The information may be ana- 
lyzed, using a tabular format such as the 
Preliminary Hazard Analysis or the logic 
network format of the fault tree analysis. If 
the output required is qualitative, which is 
usually the case in early program phases, 
the time line data, functional flows and hard- 
ware descriptions are adequate. If a complete 
risk evaluation is to be made and a numerical 
requirement for safety is imposed in the sys- 
tem, more definitive design data is required. 
This information often is provided by relia- 
bility specialists. The failure mode and effect 
analysis contains most of the information 
needed. Care must be taken to consider the 
Failure Modes and Effects Analysis (FMEA) 
results from a safety viewpoint which can 
have a different criticality than the effect on 
reliability. 

Hazard Identification 

Experience retention, in the form of data 
taken from previous programs and personal 
experience of qualified system safety person- 
nel, provides the basis for the initial identifi- 
cation of hazardous elements and conditions. 
High energy levels, hazardous environments, 
toxic gases, arid structural problems are some 
of the first considerations. The type of fuel 
to be used dictates the ignition proofing re- 
quirements that must be Imposed. The use of 
explosives 'requires many well established 
requirements to be imposed. 

The environment the system is intended to 
operate in dictates requirement* for adequate 
oxygen, thermal protection, shock or acceler- 
ation limits, etc. Safety factors for pressure 
vessels and basic structures must be estab- 
lished with proper consideration for the func- 
tional use of the equipment. For Instance, 
the safety factors for pressure vessels on 
unmanned systems can be much less than for 
manned systems. However, care must be 
taken to be sure that such tanks are not 
pressurized when personnel are maintaining 





the system or checking it out for launch. The 
identification of hazards continues throughout 
the entire safety program. As more is learned 
about the system, additional hazards become 
apparent. All hazardous elements and condi- 
tions should be recorded and action taken to 
control them to prevent accidents. 

Hazard Potential Effect 

The emphasis given to the control of 
hazardous elements is dependent on the poten- 
tial effect or accident that could occur if con- 
trol of the hazardous element is lost. This 
part of the analysis looks at all possible ways 
an accident could occur. The probability of 
the event occurring will be considered later. 
There are two ways this part of the analysis 
may be conducted. The analysis may start at 
the part level and continue through the sub- 
system and consider the system as a whole. 
The analysis can also start as a top down 
analysis, such as the fault tree analysis, 
which starts with an undesired event, and 
then goes down through all series of events 
that could occur to yield the undeslred event. 
Single thread failure analyses are helpful but 
multiple failures must be considered to make 
the analyses complete. A fuel leak may In- 
crease the hazard level but a catastrophic 
event may not occur without an ignition 
source. In the case of hypergolic fuels, two 
leaks may be necessary. 

The potential effect may be categorized as 
catastrophic, critical, marginal, or negligible 
as is required by MIL-STD-882 and NASA 
NHB 1700.1. This grouping enables increased 
emphasis to be given to the worst category. 
However, all of the hazards and their poten- 
tial effect should be listed and provided to 
systems engineering. This data is essential 
and must be considered during trade-off 
studies. Also, each of the items listed should 
be closed out to show what preventive actions 
have been taken to prevent an accident from 
occurring. The hazard analysis format estab- 
lished in D2-1 13072-1, (8) "System Safety 
Analytical Technology - Preliminary Hazard 
Analysis," provides for the tabulation and 
recording of the identification of the hazard, 
subsystems involved, the potential effect, the 


category, and the recommended preventive 
measure to control the hazard. 

Probability of Occurrence 

The amount of resources that will be ap- 
plied in preventive measures depends not 
only on the potential effect, but also on its 
probability of occurrence. An excellent ex- 
ample of this is the potential of meteorite 
damage to spacecraft. The effect of a mete- 
orite hit would be catastrophic. However, the 
probability of significant hits is so small that 
resources have been diverted from meteorite 
protection to more effective areas in the 
spacecraft. 

There are two methods of determining the 
probability of occurrence of accidents. The 
qualitative approach such as probable, pos- 
sible or improbable can be used. This ap- 
proach is very subjective and must be based on 
empirical data, experience retention or just 
plain engineering judgment. It is used on most 
safety programs today. The quantitative ap- 
proach uses the best failure and statistical 
data to determine more accurate probabilities 
of an event occurring. A method of using 
FMEA data In a Fault Hazard Analysis pro- 
vides some degree of quantification. The 
most thorough method is the Fault Tree 
Analysis which is used on weapons systems 
such as Minuteman and the Short Range At- 
tack Missile (SRAM) where the undesired 
event is so serious that a numerical limit is 
Imposed by the customer. The Fault Tree 
Analyses may be used for either qualitative 
or quanltative analyses. It has been described 
in numerous papers (9, 10, 11) and is docu- 
mented in D2-1 13072-2, (12) "System Safety 
Analytical Technology - Fault Tree Analy- 
sis." 

Corrective Action 

The output of system safety analyses is 
shown on Figure 10. Each of them are of im- 
portance to systems engineering. Some of 
them such as inputs to trade stv J4 es and 
critical systems lists can be useo .rectly. 
The safety requirements that result from the 
analysis will be covered later. The systems 


151 



engineering approach provides the way for 
the system safety input to be integrated into 
the mainstream engineering effort and to 
cause the implementation of the corrective 
action that is necessary to assure a safe 
system. 

Safety Requirements (See Figure 11) 

The 3ystems engineering process defines 
the system and then establishes the require- 
ments for what must be included in the system 
design and operation. The system safety re- 
quirements initiated from experience reten- 
tion data are upgraded as more information is 
obtained from the above analyses. As men- 
tioned earlier, they also include appropriate 
standards and guidelines developed for other 
programs. When combined into a single docu- 
ment they are readily available to all levels 
of the contractor and customer organizations. 
The requirements document should be divided 
into design requirements and operational re- 
quirements. Design requirements include the 
systems requirements and more specific re- 
quirements for each of the subsystems com- 
ponents and parts. Operating requirements 
specify what must be included in procedures 
to enable the as-designed system to operate 
safely. 

System Safety Assurance (See Figure 12) 

System safety assurance is used by this 
writer to include all of the safety effort ex- 
pended to assure that the design and operat- 
ing safety requirements are Included in the 
system and that they are adequate. Figure 12 
lists the activities involved. The systems 
engineering process control of the technical 
program Includes reviews, trade studies, 
change control, and audits. System safety 
must participate in these activities to assure 
that safety is Included in the design and op- 
eration of the system. 

Program and Design Reviews 

The entire series of program and design 
reviews provide an excellent opportunity for 
system safety to follow-up on the safety 


program. The system safety design require- 
ments document provides an excellent base- 
line for safety review. The design can easily 
be reviewed against the requirements and 
extra emphasis can be given to looking for 
weak points in the safety program. System 
safety sign-off should be required at all such 
reviews. 

Drawing Reviews 

System safety requirements should indi- 
cate which drawings require safety review 
and sign-off. In some programs all drawings 
must be signed off by safety. In less hazard- 
ous programs only those items that are 
termed critical to safety receive such sign- 
off. Again the control inherent in the systems 
engineering process provide the means for 
system safety to carry out its function. 

Configuration Control 

It is not enough to prove that the initial 
design is safe. As stated earlier, all sub- 
functions of systems engineering must be 
aware of all changes to the system. This is 
especially true of system safety. Some of the 
worst accidents in past programs have been 
caused by lack of safety considerations of 
changes to the system. This Includes changes 
to operating procedures as well as design 
changes. System safety should have the same 
sign-off responsibility on changes as it does 
on design reviews. Here again the systems 
engineering change control provides the means 
for system safety to "work within the system" 
to carry out its functional responsibilities. 

SUMMARY 

The primary purpose of systems engineer- 
ing is to assure the optimum allocation of 
resources to achieve mission objectives. Con- 
sequently, the entire system safety program 
is aimed at achieving the safest system pos- 
sible within program constraints and to further 
assure that this safety level is adequate. A 
decision of a program manager that a system 
Is safe enough is a difficult one at best To 
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the extent that the system safety program 
can contribute toward that decision with mean- 
ingful data, effective program controls and 
credible measurements of results, system 
safety activities will be able to demonstrate 
their value and successfully compete for the 
limited resources that any program has. 
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SESSION IV 

QUESTIONS AND ANSWERS 


JERRY LEDERER: I don't have a ques- 
tion, I have an observation. That is in con- 
nection with Mr. Packard's statement that he 
wants to withdraw all the disciplines of safety 
and put them back into basic engineering. I 
have another document of his which requires 
that a hazard analysis shall be made on hard- 
ware, and I don't see how he can reconcile 
the two points of view. I arn using that last 
document within NASA to promote further 
interest in system safety. 

DR. BALL: Could I comment on that 
Chuck. I think this is an important point, 
consistent with what Mr. Lederer has been 
pushing himself for several years. The need 
for a risk analysis or even in the case of the 
Boeing Company, the Board of Directors re- 
quiring a risk-study report at the beginning 
of each program in which all the risks, risk 
of cost overrun, schedule slippage, the risks 
of failure to a chiev e a~ required technical 
characteristic like flight speed or safety 
reliability, this I think Is very much in its 
ascendancy. Now of course Mr. Packard, I 
believe, and others are looking for the main 
stream program manager and chief engineer 
to submit these risk-study reports. You then 
have the safety engineer as one of the staff 
men helping the main stream. This is my 
overall point. The need for the services of 
the system safety engineer are increasing but 
it is as a staff to the main stream action, 
not as an independent staff working inde- 
pendently of the main stream. 

MR. MILLER: Yes, I would definitely like 
to comment on that. I don't know who of re- 
pute in :he business has ever suggested that 
safety was other than what you just described. 
If such a situation was led to take place, I 
will point the finger at the management of 
the organizations who allowed this to happen. 

QUESTION: My question is directed to 
Chuck Miller. Chuck, we have heard an awful 
lot today about MIL-STD 882 and the applica- 
tion of this to weapons systems, but would 
you care to forecast how this looks in the 


civil aviation business, the application of 
system safety, including light planes. 

MR. MILLER: First of all I think like any 
safety program document, if you look around 
when you think about applying it, you'll find 
that its elements are already being applied. 
I think this is true if you think of 882 in a 
civil aviation environment. For example, the 
FAA in recent years has undertaken what they 
call a Systems Worthiness Analysis Program 
which is another term for a form of audit. 
Certainly, these things are going on in the en- 
tire system, not just the FAA. The SST Pro- 
gram had safety work in it. John can tell you 
that the 747 had quite a bit of effort along 
this line. On the other hand, there are things 
that are not being done. As a matter of fact, 
the Safety Board had addressed two of these 
things in the past year, if I recall, one was 
in conn ec t io n with a commuter airliner prob- 
lem in which there was a control system 
failure which was one of the Board's specific 
recommendations to the FAA to consider in 
an 882-type hazard analysis. A similar 
recommendation the Board made involved the 
FAA's ATC system, their traffic control 
system. We looked, and this happened to be a 
general aviation case out in your area, Jack, 
where a controller misidentified or I should 
say failed to identify a certain target on his 
radar scope and proceeded to have his air- 
craft fly into a mountain as a result. Our 
question was, and it turned out to be a rec- 
ommendation, why don't you apply hazard 
analysis techniques to the man/machine en- 
vironment situation existing in an ATC Center. 
In other words, these are highly analogous to 
problems that NASA faces when they are 
looking at say a launch problem. I will say 
this though, I think the incorporation of some- 
thing like 882 in civil aviation would be an 
even tougher job than it is in DoD for this 
reason, you have a very elusive buyer-seller- 
regulator relationship. Especially when you go 
across the full spectrum of aircraft from say 
an air carrier, which is relatively highly 
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regulated, to a general aviation operation 
which is in a relatively low regulatory status. 
So I am saying, it is a tough job. The thing 
that is missing to me is that when I look at 
civil aviation and compare it with the DoD 
approach to system safety, I don’t see a 
system safety program plan. I don’t know who 
you go to in a civil aviation business and 
honestly ask a question about a new aircraft 
being introduced or a major modification 
oeing made, who really has this thing laid out 
in total program planning fashion. Right now 
I think the answer is no one, I would submit 
that this is the first step. I think we will 
evolve into it whether it is called MIL-STD- 
882, FAR, or whatever it is, but yes I think 
these principles are going to rub off, 1 think 
they already have and I expect to see more of 
it. 

MR. MCGUIRE; Chuck, I have a question 
along that line. Wouldn’t you think some of the 
seller-buyer relationships that Dr. Ball dis- 
cussed might figure in civil aviation, com- 
[ mercial particularly. 

CHUCK MCGUIRE: Definitely, as a matter 

of fact , two yea rs ago the re "'ere some 

rather interesting discussions at the top levels 
of the Air Transport Association about the 
possibility of them instituting the MIL-STD- 
38-130A in some modified fashion for indus- 
try, that is, between the airline/industry 
operators and manufacturers. I never have 
fully understood why this suddenly came to a 
halt but at least it was explored at that time, 
j about two years ago. 

| GEORGE CRANSTON: I have a comment 

5 and then a question. I think we have had two 
very fine sessions and I want to express my 
appteciation to the speakers and to the Chair- 
man for this personally. I think probably we 
would all like to do that. I suggest we give 
them a hand. Second, I think one of the most 
significant things we have heard in this con- 
ference was brought out this morning, the 
fact that we need or I have felt v/e need more 
work, specific work done by individuals on 
developing specifications that Chuck and 
Dr. Ball brought out, and implementing our 
’ standards and our general guidelines that we 
have now. I think we have let up on this and 
are resting on the laurels of trying to go 
j with the standard. A lot more work needs to 


be done at this time on manuals and specifica- 
tions at all levels in our organization and 
I wonder what you think. 

DR. BALL: I f d like to express a similar 
thought but change rhe emphasis a little to- 
wards check list. For example, after the 
Apollo 13 experience which I think was a 
magnificent tribute to pre-planning and pre- 
analysis in that it allowed corrective action 
to take place, there were lessons to be 
learned there. The question is now, show me 
how the lessons learned have been fed back. 
Now you can say, well, we changed this 
paragraph of this policy or this paragraph of 
this specification but I think we need the 
check list as the connecting link. We should 
show the check list items for liquid oxygen 
tanks; the check list items for configuration 
management, because there were some prob- 
lems there. Those check lists can then get 
fed into the University teaching courses we 
heard about this morning, they can get fed 
into the next revisions of our policies and 
specifications. But, because it takes so long 
to negotiate in our democratic way to get a 
spec out, I chink we’ve got to do a much 
better job of formal conversion of experience 
in the check list form. 

CHUCK MCGUIRE: You are leading into 
my favorite subject and you and I both are 
aware of the effort now going on in Skylab to 
come up with a check list similar to the one 
you have described. 

JACK FRENCH: I would like to say that 
at MSC for each mission safety has to stand 
up and be counted as to whether we feel there 
are acceptable or unacceptable risks, etc. 
We stand up along with other directorates 
such as Flight Crew Operations, Flight Op- 
erations Directorate and various engineering 
and program offices. This requires a backup 
of a knowledgeable assessment group to as- 
sess the engineering and operations aspects 
throughout the ,, life-cycle ,, of the operation. 
You can’t Just rely on the design engineers to 
give you this. You need an independent group 
of very knowledgeable people who have as 
much knowledge about a system design as the 
system designers thomselves. I just want to 
bring this out, that I feel that we do need an 
independent group. At MSC we do have a group 
of people, they are support contractors who 


* » 


158 



support us in this effort. I might add that at 
MSC also within the safety group is the con- 
tinuity of experience from Mercury to Gemini 
to Apollo and Skylab that you don’t have in too 
many departments. 

MILTON: I submit one to Dr. Ball. One 
of the problems I think that we are going to 
have to face is that we can't afford to have 
anything less than absolute maximum safety 
in any program we've got. Just as you men- 
tioned, now NASA is so loaded with good 
experienced data with problems faced, con- 
quered, and now put completely to bed hope- 
fully that will not arise on something like 
the Space Shuttle. Do you think we can afford 
anything less than having all the possible data 
to give to each contractor and then do a 
safety evaluation merely on the organization 
and the experience rather than in the approach 
to it. Again, as you pointed out on the chart, 
sometimes safety people are only talking to 
safety but as we have experienced in both 
DoD and NASA programs, safety usually 
doesn’t count a single solitary point when it 
comes to selection of a contractor. I don't 
think simply having a safety plan in there 
someplace that it is recognized because 
everything else is tied to the speed capabil- 
ity, the altitude capability and all of these 
other performance items. Therefore safety 
usually only comes into being when you are 
finally in a negotiation and actually imple- 
menting the program and yet it has, as I say, 
zero weight in the selection of a contractor. 
Therefore, by giving every contractor as 
much of this data as you have available, even 
though it is all the same, you are not really 
putting one in contention against another. 

DR. BALL: I think that is a very fine 
question. Let me be clear that my answer is 
personal and doesn't represent a NASA posi- 
tion. The answer is in two steps. During the 
contractor selection process I personally 
favor asking the contractor, what are you 
going to do to assure safety? If he tells me 
for instance, he has had the Initiative to go 
to MSC where Jack French and Marty Raines 
have got some very fine documents such as 
safety hazard catalogs, and he has taken those 
catalogs from MSC; he has picked up other 
things from Irv Pinkel at LeRC and inte- 
grated these into his design decision process, 


processed them and provided them to our 
mechanical designers, etc., this is the op- 
portunity for the contractor to tell us, during 
the competitive period. Once you have selected 
a contractor, then I think we should pull out 
all the stops in telling him everything we 
know. I think we should say, now look, lets sit 
down together and go over the total available 
knowledge and the sources of information that 
are available. The contractor may or may not 
pick that up and use it and through the award 
fee, then I want to trace the usage of funds. 
For instance, if I can get | or 1 % for safety 
out of a 15% fee I want to be able to check on 
the use of those resources. Is it evident the 
contractor's design decisions really are tap- 
ping all this knowledge? I think the appeal you 
made, don't hold back anything you know, I 
agree with, but the time I wish to feed that in 
is after contract award. 

CHUCK OVERBEY, KSC: I'd like to 

amplify one point made by Mr, Miller and 
that has to do with the commercial aviation 
field. First, those of us who have worked with 
military missiles and in the case of NASA 
with the vehicles , and spacecraft, a lot of us 
feel that we have had a free ride and in many 
ways we have, from a safety viewpoint. We 
have been the designers, we have been the 
buyers, and we have been the operator. As 
such we have been able to specify safety 
measures from one end to the other. When 
you get into the commercial field, in particu- 
lar general aviation, that is a different world. 
I was with the CAA for about 10§ years and 
you just don't dictate beyond a certain point. 
A light airplane in particular is a consumer 
product and it is a different situation entirely. 
Take the Bonanza, a light airplane built by 
Beech, it coots about $100 for a 100 hour in- 
spection. Everytime you fly the airplane for 
one hour you have to devote a dollar to in- 
spection, That is the minimum requirement 
for FA A. If you go on and on with require- 
ments, you will find that pretty soon you no 
longer have a consumer product. 

JERRY LEDERER; I would like to rein- 
force that. For three years I was in charge of 
all civil air regulations and we were dealing 
with a very difficult situation as Chuck has 
just mentioned. NASA and DoD are virtually 
autocracies; they can dictate. You can't 


159 



dictate in civil aviation. You can do so more 
with the public carriers involved like the 
airlines, but not where general aviation is 
concerned. 1 recall in 1940 we had a case of 
a man chartering an airplane in Williamsport 
to fly to Newark, getting caught in weather 
with a commercial pilot, and getting killed 
because he lost control of the airplane. 
I immediately instituted procedures to require 
all commercial pilots who offer themselves 
out for hire to have instrument ratings, and 
the hue and cry against that proposal was 
terrific. First of all we were told there were 
not enough instructors to give the necessary 
instruction and they felt it would be a drag 
on the industry. This dragged on for a long 
time and then the war started and saved me 
from further problems. This is the way it 
goes, it isn't like working for NASA or DoD 
when you get into civil aviation. 

MR, BOLGER: I would like to add a post- 
script to that and something Hank back there 
commented on. You know, I think yoii made a 
statement that you don't win a program be- 
cause of a safety effort but you can sure lose 
the follow-on without it. This same feeling 
pops up in the civil aviation field. I have 
found, and you might call it a threat if you 
want to, but I have seen airlines, small ones 
albeit, put out of business because of accident 
problems. I have seen some big ones get 
awfully concerned over potential accidents and 
take action which they might not otherwise 
have taken. I have heard Presidents of the 
General Aviation Manufacturers companies get 


up in meetings within the past year and do a 
180° in terms of the basic philosophy towards 
safety. There was a rime not too long ago 
when some of the light plane manufacturers 
would stand up and say, "We are safe, every- 
thing we do is for safety and besides, let's 
not bring it out in the open because tha* - will 
hurt sales." I have since heard some very 
powerful people in that business stand up and 
say, "We know that we cannot survive as an 
industry without increased effort on safety." 

What I am suggesting here is that there is 
an awareness of a more difficult problem, 
but there is also an increasing awareness, as 
I see it in civil aviation, on the consequences 
of failure in inadequate safety programs. 
This is litigation influence? I don't know,' 
Is it the influence of the overall public con- 
cern for safety? I don’t know, but it is there. 
General aviation people, manufacturers, op- 
erators are more acutely aware of the failures 
due to lack of a good safety program today 
than I think they ever ' -ere before. 

JOHN GRISWOLD: This will be just an- 
other postscript to the comment from the 
back of the room. Just recalling within this 
year, 1971, and seeing the results of some 
debriefings, I know of two contract awards 
which the statement was made, somewhat like 
this, that the proposed safety program that 
was described in that proposal had a signifi- 
cant impact in the selection of the winning 
contractor. You can interpret significant im- 
pact anyway you want, but it is something 
bigger than zero as far as I am concerned. 
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INTRODUCTION 

Before discussing project safety I would 
like to give you a brief description of the 
Viking Project, the Management assignments 
and the space flight hardware. 

The Viking Project is part of a program 
for the exploration of Mars with the use of un- 
manned spacecraft. The objective of the mis- 
sion is to significantly advance the knowledge 
of the planet Mars by direct measurements in 
the atmosphere and on the surface. Observa- 
tions of the planet will be made during the ap- 
proach and from orbit. Particular emphasis 
will be placed on obtaining information con- 
cerning biological, chemical, and environ- 
mental factors relevant to the existence of life 
on the planet at this time, at some time in the 
past, or the potentials for the development of 
life at a future date. Two spacecraft, each con- 
sisting of an orbiter and a sterilized lander 
capsule, will be launched separately by Titan/ 
Centaur launch vehicles from Cape Kennedy 
during the 1975 Mars launch opportunity. The 
orbiters will be used to insert the landers into 
orbit about Mars. Scientific instruments - >n the 
orbiters will be used to obtain data to aid in the 
selection of landing sites. Each lander after 
separating from its respective orbiter will soft 
land on the surface of Mars and transmit 
scientific data back to earth for a minimum of 
90 days. 

PROJECT MANAGEMENT 

The Office of Space Science and Applica- 
tions, Office of Planetary Programs at NASA 
Headquarters is responsible for the Viking 
Program Management. The Langley Research 
Center, Viking Project Office, has responsi- 
bility for overall Viking Project management. 
The Project is divided into five major systems 
as shown on Figure 1. The Lewis Research 
Center is responsible for managing the Launch 
Vehicle System. Figure 2 shows the Viking 
Space Vehicle. The space vehicle is composed 
of the Titan III, the Centaur, the Orbiter, the 
Lander, and the nose fairing. LeRC, as Launch 
Vehicle Management Center, is responsible for 
providing the Titan, the Centaur, the nose fair- 
ing, and for space vehicle integration. Space 
Vehicle Launch Management has been assigned 
to the Kennedy Space Center. 


The Jet Propulsion Laboratory is respon- 
sible for managing the Orbiter System, and the 
Tracking and Data System. Figure 3 shows the 
Viking Spacecraft. The lander is enclosed in a 
bioshield and is shown attached to the bottom 
of the orbiter in this figure. The spacecraft Is 
attached to the launch vehicle in an inverted 
position from that which is shown. The Orbiter 
System is responsible for providing the orbiter 
and the adapters on both the lander side and the 
launch vehicle side. 

The Tracking and Data System provides the 
ground based system of tracking stations and 
communications networks required to fly the 
spacecraft and receive data; however, there is 
no flight hardware provided by this system. 

In addition to overall Project management 
the Viking Project Office at Langley has re- 
sponsibility for managing the Lander System 
and the Launch and Flight Operations System. 
Figure 4 shows the Lander System flight hard- 
ware. The Lander System consists of the 
lander; an aerodecelerator system consisting 
of an aeroshell, a base cover, and a parachute; 
and a bioshield to protect the lander from bio- 
logical contamination after sterilization. The 
Launch and Flight Operations System does not 
provide any flight hardware but does utilize 
hardware provided by the Orbiter and Lander 
Systems in performing its responsibility to 
conduct spacecraft launch and flight opera- 
tions. 

I should point out here that the position of 
Project Safety Officer is a staff function within 
the Viking Project Office and reports directly 
to the Project Manager. 


THE PROJECT SAFETY PLAN 

Next I would like to talk about the develop- 
ment of the Viking Project Safety Plan, how the 
requirement for such a plan was established, 
and what I feel the plan does for Project Man- 
agement in emphasizing and controlling safety. 

The safety program on an unmanned NASA 
spacecraft project begins with the signing of the 
Project Approval Document. This is the Initial 
document which authorizes project go-ahead 
and assigns the system level management func- 
tions which were described to you earlier. In 
the Project Approval Document each System 
Manager is assigned the responsibility for 
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safety of his system. He Is required to per- 
form that function in accord with the require- 
ments of the NASA Basic Policy on Safety and 
the NASA Safety Manual. 

The next step In developing the safety pro- 
gram is to Include the safety task In the Proj- 
ect Plan. This is the top management document 
for the Project and records the Project objec- 
tives and various management arrangements 
for the Project including safety. It is signed by 
each System Manager, the Center Director for 
each participating NASA Center, and appropri- 
ate NASA Headquarters management person- 
nel. The Viking Project Plan places overall re- 
sponsibility for Project Safety with the Project 
Manager, with each System Manager being 
responsible for safety of his system. The Proj- 
ect Plan also states that the Project Safety 
Officer is responsible for developing and 
implementing a Project Safety Plan. Imple- 
mentation of that plan will be the method of 
controlling Project Safety. 

The requirement for a Safety Plan having 
been established, the task now becomes one of 
producing a useful document. During the time 
that the Project Plan was in an early stage o i 
development and it was known that a Safety 
Plan would be required, a work statement was 
being prepared for development of the Lander 
System and Project Integration. As part of the 
integration support to the Project Office the 
contractor was required to prepare a Project 
Safety Plan. Martin Marietta Corporation, 
Denver Division, was selected for this effort 
and did prepare, under the direction of the 
Viking Project Office, the Project Safety 
Plan. 

During preparation of the Safety Plan two 
basic facts that were mentioned a few moments 
ago had to be considered. First, the safety 
responsibilities had already been assigned by 
the Project Approval Document and the Project 
Plan and, second, the basic safety require- 
ments we were to meet were already in 
existence. These requirements are contained 
in the NASA Safety Manual, NHB 1700.1, 
Volume I; KSC - KMI 1710.1 A; and the Range 
Safety Manual, AFETR 127-1. With these 
considerations in mind it was decided that 
As plan should not be directive in nature but, 
rathW, should identify within a single docu- 
ment those requirements which each System 
Manage* and the Viking Project Office must 


accomplish to ensure an Integrated safety 
program. 

If the Project Safety Plan does not establish 
requirements and is not directive in nature, 
what value does it have to the Project and the 
safety program? I feel there are several im- 
portant functions that the Project Safety Plan 
accomplishes. These are shown on Figure 5. 

First, preparation of the plan requires tech- 
nical Interchange between safety personnel of 
the various systems early in the program. Cer- 
tainly a plan is not required to have such an 
interchange but it does provide a focal point for 
such discussions. Next, the plan identifies the 
detailed responsibilities for each System and 
the Project Office. The Project Approval Docu- 
ment and the Project Plan are general in na- 
ture whereas the Safety Plan shows the specific 
tasks to be performed in fulfilling the general 
responsibility. Third, the detailed safety re- 
quirements are consolidated in a single docu- 
ment. As I stated earlier, the requirements we 
must meet are in existence. They are, however, 
located in many documents and the Safety Plan 
is an excellent method of consolidating these 
requirements into a single document. Finally, 
and I feel this is the most Important function 
of the plan, it provides a method for review of 
the total Safety Program by top level NASA 
safety management personnel. This review 
ensures those of us working safety at the 
Project level that our planning is in concert 
with basic NASA Safety Policy. 

I have discussed up t:o this point why we 
have a Safety Plan on the Viking Project and 
the function it serves. Nov; I would like to dis- 
cuss the contents of the Plan with emphasis on 
the system safety requirements. The Safety 
Plan is divided into three basic sections with 
the first being an introduction. The second sec- 
tion deals with organization and responsibili- 
ties. The Plan covers the responsibilities I have 
already discussed but in much more detail. The 
third section of the Plan gives the Viking 
Safety Program Requlr' ments and I would like 
to discuss these in some detail. 


VIKING SAFETY PROGRAM REQUIREMENTS 

The two new major pieces of flight hardware 
to make a first space flight on Viking are the 
Lander and the Orbiter. Referring to Figure 6, 
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our first requirement is that a detailed safety 
plan be prepared for each of these systems. 
These lower level plans will show both the 
system safety and operational safety tasks 
to be performed. Also included will be sections 
on industrial safety, and personnel training and 
certification. Our next requirement is related 
to safety at, the launch site. We have consoli- 
dated the requirements of the Kennedy Space 
Center and the Air Force Eastern Test Range 
into a single grouping which shows those docu- 
ments and procedures which must be prepared 
by the Project and approved by appropriate 
launch site agencies prior to launch. Next there 
are requirements in the area of industrial 
safety and for each participant to prepare an 
accident incident reporting plan. These two 
items are reasonably standard safety require- 
ments so 1 won’t go into details on them. 

The Viking Lander will receive electrical 
power from two on-board Radiosotope Thermo- 
electric Generators. Use of these devices re- 
quires approval of the National Aeronautics 
and Space Council and its decision is based on 
a Safety Analysis Report. This report is pre- 
pared by the Atomic Energy Commission and i6 
based on data packages prepared by the Viking 
Project participants. The Project Safety Plan 
includes a section on the requirements for these 
data packages and the responsibilities for pre- 
paring them. 

Another requirement we have is for a 
Launch Readiness Review report on the status 
of safety, I would like to delay discussion on 
this until later because it is related to some 
points 1 want to make on how the project will 
monitor and control safety. 

Last, but certainly not least in the order of 
Importance, are the requirements in the area 
of system safety. The purpose of system safety 
is to avoid injury to personnel and to avoid any 
loss or damage to property. To accomplish this 
our first requirement is to identify all potential 
hazards and to eliminate them where possible. 
When elimination is not possible we want to re- 
duce the hazard within practical limits. We then 
want to keep all levels of management aware of 
these residual hazards so that they may assess 
the risk involved in proceeding with the launch. 

Potential hazards will be identified through 
analyses to be made of both the hardware de- 
sign and proposed operations. After they have 


been identified each potential hazard will be 
categorized according to the risk associated 
with the hazard. A hazard reduction precedence 
sequence is established in the Safety Plan and 
will be applied to each hazard which is identi- 
fied through the analyses or through any of the 
routine project reviews. The first item in the 
sequence is to design for minimum hazard. If 
a hazard is identified and can be reduced by a 
desigi. change, such a change will be requested. 
When a hazard cannot be reduced through a de- 
sign change, a safety device shall be incor- 
porated into the system. Where it is not pos- 
sible to preclude the existence or occurrence 
of a known hazard, warning devices shall be 
used to permit early detection of the hazardous 
condition. Finally, special procedures shall be 
used to reduce the magnitude of a hazard where 
it is not possible to eliminate it. Data on those 
hazards which are in a category that could re- 
sult in death or disabling injuries to personnel. 
Irreparable damage to the space vehicle, or 
damage to any ground equipment causing more 
than a 24 hour delay in the launch will be 
placed in the Viking Project Hazard Catalog. 

Hazard catalog inputs will be provided by 
each system and the catalog will be maintained 
by the integrating contractor for the Project 
Office. First inputs will be made at or near each 
system preliminary design review and will be 
maintained thereafter until launch. This catalog 
will be the method by which Project Manage- 
ment is provided a record of the status of each 
hazard so that the proper assessment of the 
hazard can be made and appropriate manage- 
ment action taken when required. 

MANAGEMENT REVIEW 

The responsibilities have been assigned in 
detail and the requirements to be met by the 
Project have been identified. It is now the re- 
sponslblity of each system manager to imple- 
ment those requirements within his system. 
As part of the overall management responsi- 
bility the Project Manager and his staff will 
review and monitor the safety effort being ac- 
complished by Ae system managers. To per- 
form this function the project has established 
a series of incremental reviews for each sys- 
tem culminating in a final Launch Readine 
Review two weeks prior to the first lap 
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These reviews cover all aspects of each system 
including safety. Inclusion of the safety effort 
in these project reviews if considered an im- 
portant part of the Viking safety program. This 
action brings to the attention of project man- 
agement those items which are being worked 
by safety personnel, it allows an open dis- 
cussion of these items by a review panel with 
expertise in many technical areas, and it per- 
mits a method of tracking safety items to de- 
termine that a proper resolution of the item 
has been made. 


CONCLUDING REMARKS 

In conclusion I would like to say that it was 
not necessary to sell the Importance of a good 
safety program to Viking Management. Safety 
has been an Important element of the Project 
since its inception. A very good safety plan has 
been developed; however, at this point in time 
the flight hardware is still in design and the 
effectiveness of our safety program is unknown. 
Our goal is no accidents or incidents and two 
successful landings on Mars in 1976. 
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Requires technical interchange between project safety 
participants early in the program 
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FIGURE 6 - VIKING SAFETY PROGRAM REQUIREMENTS 
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SYSTEM SAFETY APPLICATION IN THE 
OPERATIONAL PHASE 

The operational phase of a program assures 
completion of flight test programs and demon- 
stration of operational capability. It is mission 
performance. Support of this activity from a 
System Safety standpoint is failure analyses, 
hardware changes, procedural changes, acci- 
dent/incident analyses, and a great amount of 
involvement in ground operations. However, 
the operational phase really starts further back 
than at mission performance. I say this because 
one never finishes designing and manufacturing 
the system since requirements seem to change 
calling for improvements in the system. In this 
respect I consider the manufacturing, testing 
and material handling an important element of 
the operational phase and should be treated as 
such. 

No one disagrees with the concept 
that a good, safe product starts with the de- 
signer. System Safety effectiveness also starts 
there. During its short life, the major emphasis 
of System Safety has been in engineering and 
we can find voluminous material on System 
Safety engineering management, System Safety 
engineering, System Safety analysis, and so 
forth. With the emphasis on engineering, we 
sometimes forget that System Safety is a 
totally encompassing task, as the word system 
implies. As a result, important processes in 
the total system go unattended. What good does 
it do to engineer a functional, safe product; 
build it on time within budgeted cost; then have 
it damaged by inattentive handling or worse yet 
by not having handling equipment because the 
interface was not there. Someone forgot ~ 
someone overlooked. We need to stop and eval- 
uate the total System Safety process to assure 
we really are talking about a "system" oriented 
program. 

I’ll cover System Safety concern in manu- 
facturing, test operations, material handling, 
and flight test and flight operational phases. 
The reason for including manufacturing, test 
operations, and material handling is that is an 
area that has lacked proper System Safety con- 
cern. 

Most manufacturing people do not have the 
luxury of knowing why certain hardware is de- 
signed a certain way. The engineer can only re- 
flect the design in drawings and specifications 


after the thinking process had culminated in an 
end concept. The manufacturer could easily 
envision the end product differently from a 
process standpoint and, gentlemen, this pro- 
cess analysis from a System Safety standpoint 
desperately needs to be accomplished early in 
the program. 

We need to: 

1. Look at facilities for emergency backup 
power, electrical protection against 
main power fluctuations, work platform 
locations, deluge systems, lighting, 
noise, accessability. The relationship of 
this equipment on the end product. 

2. Develop requirements for support items 
such as work stands, hoisting, confined 
entry, emergency procedures, safety 
critical operations such as welding and 
pressure tests. 

3. Conduct hazard analyses o. the manu- 
facturing flow and develop disciplines to 
eliminate or reduce these hazards prior 
to the start of manufacturing operations. 

We have learned the hard way tnat playing 
"catch up" is expensive and very hard on the 
nerves, I might add. Lack of analysis has been 
the culprit in many instances, leading toward 
destruction of space boosters, test articles 
and components. Lack of process control has 
led to untold embarrassing fituations. The 
accidents are often times shrugged off under 
the umbrellas of statements that "to err is 
human, " "Murphy’s law," and the like. It is 
often said, "We have time to do the job over, 
but never enough time to do the job right the 
first dme." All of these so-called explanations 
are, in my opinion, unacceptable crutches and 
ways to avoid the basic problem. Many times 
we design traps for the men in manufacturing, 
test, and material handling. They need a good 
process analysis that can identify for them 
situations that are hazardous to the product as 
well as ways to protect them from personal 
injury. They need to be reminded about safety 
features required to assist them in doing the 
job right the first time. 

Let's back up a little and ask ourselves 
why not let the builders and users work closely 
with the designer in the early stages of design. 
Not Just involvement in the design review but 
during the criteria development phase and the 
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actual design. The outcome will be a safer and 
more efficient process along with being cost 
effective; the ground support equipment and 
handling equipment can be brought into the 
picture much earlier; and the transportation or 
movement of subassemblies and delicate parts 
can have parts protection considered during the 
design phnse. You can already see that part of 
what we consider System Safety is getting 
everyone into the act not merely the system 
safety engineer but the people that are building, 
handling, and testing the product. System 
Safety, then, is part of the labor that goes into 
the product — a direct labor function that is 
looked at very carefully as to its contribution. 
The payoff is accident prevention as opposed 
to cure. 

(Refer to Chart) 

Early analysis in the manufacturing pro- 
cess identifies not only what is required to 
build the product but also the required skills. 
Training and certification of personnel helps 
asf ire that the job starts correctly. The next 
step is to match the process against System 
Safety standards. Those of us who are fortunate 
in having active standards know many of the 
pitfalls in process delays are avoided by as- 
suring standards are satisfied. If some stand- 
ards cannot be satisfied, our job in System 
Safety is to work with respective departments 
and keep the process moving in a safe manner. 
This is our contribution that is looked at very 
carefully. Don't misunderstand me here ~ I 
am not advocating disregard for standards by 
merely signing a waiver. What I am saying is 
that we in System Safety should not use the 
standard as a shield and say, "You can't do 
that!" The approach is — "we have a prob- 
lem!" and our job is to help get the program 
out of that problem. 

Review of documentation comes next. These 
reviews require approval of safety critical 
systems. That is of systems that need tighter 
monitoring because of damage potential. Cer- 
tain installations, pressure tests, major hard- 
ware moves at times require that extra pair of 
trained eyes from System Safety. So in these 
reviews we assure ourselves that planning 
documentation and process documentation have 
proper back-out procedures in case of prob- 
lems; safety cautions and warnings are identi- 
fied. Here again, we shouldn't only act as a 


filter — we should be helpful in making con- 
structive comments to make the process better 
and safer. Another word of caution — the re- 
sponsibility for safety must remain in each de- 
partment with each supervisor and with each 
employee. 

Testing operations provides a unique situa- 
tion for System Safety. Testers must under- 
stand manufacturing since there always seems 
to be some finishing up to do after the hard- 
ware is manufactured. This discipline must 
understand handling techniques and adapt them 
to the hardware being handled while undergoing 
checkout. They must also understand launch 
checkout and launch procedures since testing 
attempts in every way possible to duplicate 
the launch conditions. The concept that is 
followed is manufacturers build and testers 
test, resulting in a better product. 

Closing the loop is an element that many 
people overlook. 

Along with the imposition of standards and 
reviews, a key element is monitoring, audits 
and surveys. This gives Safety the opportunity 
to evaluate whether or not operating depart- 
ments are, in fact, living up to the safety 
standards. Modifications can be proposed 
through this performance monitoring, coupled 
with new methods, ideas, and worker behavior. 
We also have other sources; an important one 
being customer experience. Additionally, in- 
ternal and external experience can be evalu- 
ated. The final element of the action or moni- 
toring loop is feedback from the departments 
themselves in the form of communication 
monitoring and direct communication. When 
we combine all these elements of experience, 
performance monitoring, and communication, 
the next big step is to see if the resources we 
have available support the recommended 
changes and if these changes support the goals. 
We have to be practical here. System Safety 
has to consider the safety aspects but also cost 
effectiveness. Our talents are put to the test in 
walking the fine line between the two. An un- 
bending, non-innovative, to-the-book System 
Safety department is worthless in this situa- 
tion. 1 

Our final step is to take the results of the 
analysis and feed them back in the form of 
constraints within the operating departments 
which can take the form of additional checks 
and balances in the control and procedural 
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documentation; in modifications to the system 
safety standards. I might add that these modi- 
fications can take the form of either being more 
stringent or in easing of requirements. This is 
a constant learning process. The other con- 
straint is a feedback into the engineering world 
by way of requirements, specification changes, 
retest requirements, hardware protection, and 
the like. 

In a short period of time, I have attempted 
to show a closed loop flow which includes the 
impact of good System Safety involvement in 
the early portions of the program as well as 
the very Important feedback loop. It is obvious, 
if the involvement comes at some time after 
start of the program, we play "catch up" for 
the remainder of the program. You don't have 
enough trained safety personnel to go back and 
review every drawing that was pumped out, 
every drawing that is being pumped out now, 
and attempt to monitor and take action on the 
feedback loop. Gentlemen, you chase your tail 
and never catch it. 

I indicated to you earlier that I consider 
manufacturing, test, and material handling a 
part of the operational phase. There are two 
elements of operations that fall within my 
definition of operational phase. The first has 
to do with manufacturing operations, test 
operations, and material handling operations. 
This is the potential damage from people, 
processes, procedures, checkouts, and the like. 
The second element is the hardware operation 
with potential damage to mission and crew from 
insufficient primary or secondary systems. In 
the latter, the safest possible approach for 
overcoming hardware operational problems or 
emergencies would be to develop all the equip- 
ment and procedures so that the crew would 
have the option to select the most applicable 
from the protocol of emergency actions. These 
emergencies could be single or combinations 
of explosion during boost or orbit; severe in- 
stability during boost or orbit; loss of thrust 
during boost; fir ;; trajectory deviation; cap- 
sule decompression; life support system fail- 
ure; power failure; subsystems failure; and 
loss of retro thrust. And there are many more 
to consider in separation, docking, maneuver- 
ing and the like. However, recognizing the 
limitations in time, money, and manpower, 


there must be a reasonable investment in study 
analysis and development testing to determine 
what is practical. This activity provides a 
rationale for setting design requirements. 

The several occurrences of failures in 
flight, both major and minor, serve notice, in 
view of space hazards and more ambitious pro- 
grams, that added attention to the potential 
requirements for operational safety can be 
justified. These operational emergencies are 
serious incidents which interrupt, either tem- 
porarily or permanently, the normal course of 
the mission plan. As indicated, such incidents 
may be anticipated or may occur unexpectedly. 
Anticipated emergencies can be countered by 
careful planning and implementation of action 
prior to the event, redundancies, and rapid and 
efficient action following the event. These ac- 
tions all fall under the category of analysis that 
takes place early, prior to the design phase. 
The unexpected emergencies are those that 
were not thought to exist or were overlooked. 
During the hardware operational phase, these 
are the ones that bother us the most. What did 
we forget. The number of possible operational 
problems Is virtually endless. No situation or 
system can be seen that is entirely immune to 
all such events. We must select the credible 
accidents or emergencies and act on them. So 
from my introductory definition, I find it dif- 
ficult to separate the "people building" from 
the "people operating" phase. Considerations 
must be there for both, early and continually. 
The actions taken early, prior to and during 
design phases, helps us get prepared to pre- 
vent emergencies and provide recovery ac- 
tions. There is ample opportunity for Safety 
to become Involved, to be able to raise ques- 
tions as to readiness. The review process has 
matured and includes; the preliminary design 
review; the critical design review; the first 
article configuration inspection; flight readi- 
ness review; and the design certification re- 
views. 

In summary, a continuing emphasis placed 
on preventing accidents or emergencies 
through hardware design, manufacturing, test 
operations, handling, and operational mission 
analysis can give us the greatest return pos- 
sible in the area of safety for the resource 
expenditure devoted to that end. 
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During the development of the Apollo Pro- 
gram spacecraft, the complexity of the vehicle 
systems and the pressures of mounting costs 
and time schedules established a requirement 
for company and NASA management visibility 
to support intelligent decisions with respect to 
risk management. These considerations, with 
the added emphasis of the Command Module 
fire at Cape Kennedy in early 1967, led NASA 
to establish the Office of Manned Space Flight 
Safety and to implement formal safety pro- 
grams at all NASA Centers and at major con- 
tractor facilities. 

LM SAFETY 

Gruman, as a major contractor, was au- 
thorized ':o establish a formal LM Sjstem 
Safety program covering the main production 
facility at Bethpage and field site operations at 
Houston, Cape Kennedy and White Sands. The 
Gruman safety effort prior to implementation 
of this LM System Safety program was limited 
to a test operations group working with the 
spacecraft assembly and test organization and 
an analytical safety effort within the LM engi- 
neering organization. This early effort, co- 
ordinated with Reliability and the engineering 
subsystems groups, had identified crew haz- 
ards in the spacecraft and had implemented 
hardware fixes or compensating operating pro- 
cedures for the flight crew data fil^. The im- 
plementation of a formal program based on an 
approved System Safety Plan provided a con- 
sistent and systematic effort, increasing the 
probability of detection of potentially hazard- 
ous conditions by in-depth design review by the 
safety group. 

OBJECTIVE AND SCOPE 

The objective of the program was and is the 
elimination or reduction of risk to personnel, 
material, and facilities resulting from failures 
or malfunctions in hardware or procedures. 

The scope of this wide-ranging program was 
an integrated engineering, test operations and 
industrial safety effort in direct support of LM 
design, production and test activity in the 
Bethpage area. Indirect support and liaison was 
provided to the Gruman field sites and NASA 
offices. Safety support included analysis of 
design and proposed design changes for flight 


hardware, ground support equipment and facii 
ities; the exchange of information on hazard 
assessments and accident experience, and re- 
view and analysis of discrepencies and anom- 
alies reported during ground test and flight 
operations. 

REFERENCES 

The NASA Safety Manual (NHB 1700.1) and 
the System Safety Requirements for Manned 
Space Flight (OMSF SPD NO 1A) are the pri- 
mary NASA source documents for the LM 
System Safety Program. 

Other documents utilized in the develop- 
ment and implementation of the Program in- 
clude applicable Grumman Corporation Pro- 
cedures and Federal, State and local statutory 
requirements, and the USAF Systems Com- 
mand System Safety Design Handbook DH 1-6. 

ORGANIZATION 

The organizational structure adopted pro- 
vided for a Manager on the staff of the LM Pro- 
gram Director heading a Safety group with two 
branches, System Safety and Test Operations 
Safety. The System Safety branch supports LM 
Engineering and provides liaison service to the 
field sites and to cognizant NASA offices. The 
Test Operations branch supports production 
and test operations and provides industrial 
safety service to all LM Program personnel 
and facilities. 

LM Safety provides support on a day-to-day 
basis to all Program groups and, in turn, re- 
ceives support from Engineering, Reliability, 
Q.C. and the Sub-Contract managers. This 
closely coordinated effort assures maximum 
utilization of all available documentation and 
avoids duplication. 

SAFETY FUNCTIONS 

There are four major functions of System 
Safety on the LM Program - Analysis, Re- 
view, Surveillance and Test/Mission Support. 
Each of the functions includes a number of de- 
tailed tasks - some basic to any system safety 
effort and some peculiar to the LM program. 

• Analysis 

The analysis function includes a hazard 
assessment of each spacecraft subsystem. 
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performed on a functional basis for each mis- 
sion phase. The FMEAs (Failure Mode and 
Effect Analyses) from Reliability, the Mission 
Time Lines, and the documentation from other 
subsystem groups are utilized for a detailed 
study which considers both ground and flight 
crew operations as well as hardware failures 
in identifying hazards. The study effort classi- 
fies hazards as crew safety or mission success 
and confirms compensating provisions or back- 
out procedures. Uncompensated hazards are 
reported to the cognizant engineering group 
and are tracked to final closeout by hardware 
or procedural changes. 

This technique is also applied to proposed 
design changes, which are analyzed for person- 
nel or hardware hazards and are followed-up 
through the approval cycle to installation and 
revest or rejection. 

An example of the hazard assessment ef- 
fort is the analysis which was completed for 
LM-5, the vehicle which flew on Apollo 11 and 
made the first lunar landing. The functional 
analysis of each subsystem was performed for 
the mission phases during which the spacecraft 
was active. The subsystem functions were 
evaluated for their effect on the flight crew, 
vehicle, and mission; the adequacy of contin- 
gency procedures, and other compensating pro- 
visions. The comparison of mission phase per 
sub-system function was related to methods of 
detection, time criticality, and availability of 
corrective or backout procedures. Uncom- 
pensated hazards were identified and evaluated 
and a rationale for their acceptance or rejec- 
tion provided. This analysis revealed no crew 
safety hazards requiring hardware changes. All 
hazards identified were of the "acceptable 
risk" category based on the compensating pro- 
visions available in the vehicle. Procedural 
changes were recommended, however, to en- 
hance mission success. These included an in- 
dependent exercise of the redundant explosive 
device systems and constraints on attitude 
changes during the period while the lunar and 
command modules were "soft" docked on the 
capture latches. The capture latches are the 
devices on the Command Module probe which 
initially engage and lock-on to the LM drogue 
mounted in the top deck tunnel area. "Hard" 
docking is the subsequent action of retracting 
the probe and engaging the twelve docking 
latches. 


This major analytical effort has since been 
utilized as a base-line study for the program, 
with each of the follow-up spacecraft reviewed 
emphasizing the hardware and mission changes 
incorporated since LM5. Analysis of these later 
vehicles missions has Identified additional 
hazards which have been compensated by hard- 
ware changes or procedural workarounds in- 
corporated in the crew check lists and mis- 
sion rules. 

• Review 

The Review function Includes those tasks 
involved on a continuing basis with the review 
of test and working documents and the opera- 
tions they control. 

Operational checkout Procedures (OCP) 
which are utilized for subsystem and system 
checkout are reviewed. Particular attention is 
devoted to revised procedures and to changes 
proposed during operations. The hardware set- 
ups utilized for tests are included, with em- 
phasis on safety provisions such as relief 
valves, hose restraints, proper bonding and 
grounding and the like. Hazardous sequences 
in these operations are identified and marked 
and special control exercised while they are 
in-work. Real-time deviations to procedures 
are reviewed, with a safety concurrence and 
sign-off required for those designated hazard- 
ous. 

An early and highly satisfactory Review 
effort was the Operational Readiness Inspection 
(ORI) conducted on the LM Internal Environ- 
ment Simulator (IES). This altitude chamber 
facility was designed to provide checkout and 
verification of the LM life support system and 
involved manned runs in 100% oxygen environ- 
ments. The ORI was conducted in accordance 
with NASA directive MSCI 8825.2, which estab- 
lishes criteria for manned operations in 
oxygen- rich environments. GAC believes that 
the ORI conducted under 882S.2 is an extremely 
valuable safety tool for any facility requiring 
man-rating. Effective program cost control 
will tailor the ORI, the Board size, and the 
scope of activity to the hazardous nature of the 
facility being Inspected. 

Prior to the LTA-8 LM test vehicle opera- 
tions in the MSC Houston altitude chamber, a 
review of the OCPs to be utilized during the 
tests was conducted by a special team of sub- 
system engineers, coordinated by LM System 
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Safety engineers. These tests, the first man- 
ned LM operations in a simulated space en- 
vironment, were identified as extremely 
hazardous and a thorough analysis of every 
phase of the operation was conducted. The 
Safety Review team identified numerous pro- 
cedural problems, all of which were corrected 
by changes to the documents prior to the 
chamber runs. 

A similar review of the test documents to 
be utilized during the checkout of LM-1, the 
unmanned first flight spacecraft, was con- 
ducted at Cape Kennedy by the LM Hazard Re- 
view team. This review, chaired and coordi- 
nated by LM System Safety program personnel, 
covered thirty- seven documents and identified 
and documented fifty-three hazards. In three 
cases, hardware fixes were required and 
change requests were initiated. The remainder 
of the hazards were satisfied by procedural 
changes Incorporated in the test documents. 

For the first manned flight, LM-3 in earth 
orbit, the team reviewed the documents to be 
utilized for the preflight spacecraft checkout 
and altitude chamber runs at KSC. This team 
also identified more than tifty hazards requir- 
ing changes to the procedures, all of which 
were incorporated in the test documents. More 
important than these statistics, however, was 
the heightened interest stimulated in hardware, 
test set-up and procedural changes when the 
Safety Review was scheduled and imminent. 

With each of these safety reviews, confi- 
dence in the spacecraft and the test procedures 
increased and on completion of the LM-3 
assessment, formal reviews were terminated. 
However, procedural changes proposed during 
any test or operation are still reviewed and 
approved by Safety prior to their incorpora- 
tion in the documents. 

An additional Review task is the investiga- 
tion and reporting of accidents which occur 
during production or test operations. On the 
LM Program, an accident is defined as any 
unplanned event which results in injury or 
damage to program material or facilities. All 
accidents are thoroughly investigated and re- 
ports submitted to cognizant management and 
K,- 3A offices. Recommended corrective ac- 
tions are tracked to close-out, with periodic 
status reports to responsible groups. 

Experience on the Program to date shows a 
steadily declining accident rate, with 3.9 ac- 


cidents per million manhours in 1969 and a low 
of 2.2 in 1970. During a one year period, from 
May '69 through May '70 more than 8,000,000 
man hours were worked without a disabling in- 
jury. Analysis of the accident record indicates 
that the majority of the accidents are caused 
by carelessness and failure to follow pro- 
cedures. Some typical examples Include the 
following: 

1. A facility technician installing a work- 
stand on a concrete floor was setting 
studs with an explosive- actuated gun. 
To expedite the job, he attempted to 
drive a stud through a pre-drilled hole 
in a flange of the stand Instead of using 
a clip held by an additional stud. Miss- 
ing the hole, the stud ricochetted off the 
flange and floor and struck the man on 
the jaw, where it lodged and was sub- 
sequently removed surgically. 

2. During installation of replacement com- 
ponents in the spacecraft heat transport 
(cooling) system a technique involving 
freezing the system fluid in the coolant 
lines with liquid nitrogen coils was be- 
ing utilized. (This process permits 
cutting lines without draining the system 
or Introducing air into the lines). An in- 
adequate temperature gage and inatten- 
tion by the man monitoring the temper- 
ature allowed the plug to thaw and pop 
out. Attempting to stop the flow of glycol, 
the technician held his thumb over the 
open line, suffering second degree cryo- 
genic burns from the escaping fluid. 
In addition to the Injury, extensive clean- 
ing was required to remove the spilled 
glycol from wire bundles and spacecraft 
structure. 

3. At the start of the transfer of approxi- 
mately 2 SCO gallons of waste alcohol 
from a facility storage tank to a tank 
truck the 3" pickup hose ruptured, 
spraying approximately 100 gallons of 
alcohol over the truck and the surround- 
ing area before the transf >r pump was 
stopped. There were no injuries and no 
other damage although the incident was 
potentially catastrophic considering 
amount of alcohol involved and the igni- 
tion sources present in the area. Prompt 
action by the Safety Engineer and the Fire 
Guard covering the operation minimized 
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the spill and dissipated the free liquid. 
Cause of the accident was an unqualified 
driver-operator on the tanker who did 
not operate the pick-up pump and valves 
in proper sequence. 

Also Included in the Review function is the 
tracking of close-out action on safety- signifi- 
cant failures which occur during test or flight 
operations. While the primary responsibility 
for failure close-out action rescs with the Re- 
liability group, Safety is concerned with fail- 
ures involving hazards to ground or flight crew 
personnel and makes full use of the Reliability 
documentation which is available. Identifica- 
tion of those failures for which Safety has a 
responsibility is based on criteria established 
by the Safety group in accordance with hazard 
classifications developed by NASA. Action in 
tracking these failures consists of coordinating 
with the responsible engineering subsystems 
groups and continuing the follow-up to final 
close-out. 

LM Safety also reviews all ground support 
equipment failures, assessing hazar ds to per- 
sonnel or hardware and coordinates with the 
GSE group on close-out action. For common- 
use GSE, which is shared with other contrac- 
tors, an information exchange procedure has 
been established to assure timely corrective 
action on all hardware at all sites. 

We have found that the daily Program Status 
meetings attended by the Program Director 
and Engineering subsystems managers, pro- 
vides maximum visibility on developing prob- 
lem areas and thr opportunity to initiate im- 
mediate corrective action. This activity is a 
major day-to-day function of the system safety 
group. 

• Surveillance 

The surveillance function is orlmarlly the 
activity of the Test Operations Safety group. 
All manufacturing and test facilities are moni- 
tored for compliance with safety requirements 
and for adherence to current Corporate Pro- 
cedures and legal requirements of local and 
Federal safety statutes. Identified hazards are 
corrected Immediately or the work area is 
tagged out-of- service. This coverage is pro- 
vided by Safety on a full-time basis for all 
scheduled operations, 24 hours per day seven 
days per week. 


• Test and Mission Support 

Safety support of test operations includes 
participation in Test Readiness Reviews and 
Pre-test Briefings. Safety requirements and 
emergency procedures are reviewed with the 
test team and qualification of test team mem- 
bers confirmed w’th the Test Conductor. 

Frequent surveys of test facilities are con- 
ducted tc assure adherence to established 
safety requirements. Sp* ~.ial attention is de- 
voted to hoisting and lilting equipment, pres- 
sure hose restraints, proof testing of equip- 
ment, and installation of safeguards such as 
kick plates, guard rails, safety nets etc. 

Test team training and certification (as 
required) are monitored and frequent drills in 
emergency shut down or back-out procedures 
are conducted. Authority for safety approval of 
deviations to hazardous test procedures is 
delegated to the safety engineer on duty. The 
Safety Manager is the only Authority for 
waivers - which are granted for one-time ex- 
ceptions to established safety requirements or 
rules. In all such cases, additional specific 
safety requirements are imposed. 

During hazardous test sequences or opera- 
tions, a safety engineer is required to lie 
present at the test site at all times. His support 
of the activity includes real-time approval of 
procedural deviations, equipment changes, and 
maintenance of a safety test environment 
throughout the facility. 

For the Apollo Missions, LM System Safety 
engineers are assigned to the Mission Support 
Team and provide full coverage of all LM 
active mission phases in vje Bethpage mission 
support room. Activity in this role Includes 
participation in the mission simulation training 
runs, flight crew debriefings, and follow-up on 
flight anomalies and dlscrependes. 

SUBCONTRACT SAFETY 

For the task of reviewing the safety of the 
Program sub-contractors, the LM Safety team 
monitors the formal review activity of the Re- 
liability, Quality Assurance, and Sub-system 
Engineering groups which have primary re- 
sponsibility. Reports are reviewed regularly 
and the safety group participates when required 
for on-site reviews. Documentation and ad- 
visory service are supplied to the regular in- 
spection teams and to the resident personnel in 
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the plants. LM Safety provides personnel and 
participates on-call for investigations of acci- 
dents or when plant conditions involving safety 
are being reviewed. Recommendations result- 
ing from investigations or reviews are made to 
Program Management, with follow-up to assure 
implementation of approved changes. This co- 
ordinated effort with QA group has been demon- 
strated to be a satisfactory, cost-effective 
method of monitoring a vast network of uub- 
contractors. 

FIELD SITE SUPPORT 

An essential element of theLM safety effort 
is support of the Grumman field sites at MSC 
Houston and White Sands, with the Bethpage 
Program office providing policy direction and 
liaison between sites. The Houston operation is 
primarily manufacturing and test in support of 
Grumman activity at NASA.MSC. At White 
Sands, the company provides engineering and 
material support for the engine firing and 
propulsion system tests conducted in the test 
cells. 

At KSC, the company maintains a safety 
group which provides all required functions for 
the local activity. Liaison and coordination for 
this group is also provided by the LM Safety 
organization at Bethpage, particularly in the 
area of spacecraft technical support and in the 
exchange of operational experience and infor- 
mation. 

REPORTS 

Management visibility, both for NASA and 
Gruman, is provided by regular and special 
reports of significant events and safety ac- 
complishments on the Program. A monthly 
status report is provided to the MSC Safety 
office with other special reports as required. 

An accident reporting system has been 
established to provide the background material 


for positive preventive action. All occurrences 
are recorded, utilizing a simple, one page form, 
and are followed-up until final close-out action 
is complete. Reports and periodic summaries 
are distributed to Program, Corporate, and 
NASA offices to assure maximum benefit to 
other groups with similar problems. 


Accident experience and prevent! reactions 
were also shared with other contractors and the 
NASA Centers by means of the STF.Ms (Safety 
Technical Exchange Meetings) sponsor* u by the 
NASA. These valuable meetings were scheduled 
periodically at the Centers or at Contractors' 
plants and provided a useful forum for the ex- 
change of Information. 

Currently, the LM Safety group partici- 
pates in reguixr Safety Concern meetings via 
telcons with the MSC Safety offi" ». This co- 
ordinated approach avoids dupTcadon and 
azures maximum effort on follow-up and 
close-out of identified hazards. 


The application of System Safety principles 
to the LM Program has been eminently suc- 
cessful by any standard. In the face of the 
pressur— of tight schedules and shrinking 
budgets, LM manufacturing and test operations 
have been on-time, with a continually declining 
accident rate. The LM spacecraft performance 
on the Apollo missions to date - from the first 
lunar landing by Armstrong and AldrinlnLMS 
to the latect by Shepard and Mitchell in LM 8 • 
has met or exceeded all mission objectives. 
The success of the total effort to put man on the 
moon marks Apollo as probably the most 
significant program of our age. As a small part 
of that total effort, LM Systems Safety made a 
contribution which will continue, maintaining 
or improving tbe standards established for the 
Program until tbe final Apollo mission is flown. 


CONCLUSION 


MEETINGS 
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In keeping with the theme of this year’s 
conference, I would like to present to you the 
differences in applying system safety tech- 
niques to present space programs and high- 
light the role that system safety plays in 
providing management a working tool for deter- 
mining the degree of risk or liabilities asso- 
ciated with both the manned and unmanned 
space programs. Two ongoing NASA programs 
will be used throughout this discussion for 
comparison; they are the Sky lab Earth Orbiting 
Laboratory (Slide 1) and the Viking Mars 
Lander (Slide 2). 

The most significant reason for applying 
system safety to these programs, and the rea- 
son which precludes the need for any debate, 
is past accident/incident experience. When 
we relate to the monetary loss of aerospace 
hardware that the nation has experienced dur- 
ing the last decade, it staggers the imagination. 
Part of this loss experience can be attributed 
to our early days of trial and error, when 
we were pioneering aerospace technology and 
at a time when international prestige was 
wavering because of the space efforts of other 
nations. Playing catch up is risky business 
and obviously risks were taken based on the 
availability of information at that point in 
time. 

We have progressed significantly from 
this period of time as substantiated by the 
increasing number of space program suc- 
cesses, However, more ambitious projects 
require more exotic and complicated hard- 
ware. With the first manned flight came in- 
creased concern for crew safety, establish- 
ment of safety requirements and standards, 
and emphasis of safety to all program per- 
sonnel. This was done with the knowledge that 
the crewman is capable of using judgment and 
would contribute to the decision making proc- 
esses whenever a situation arose that en- 
croached on the margins of safety provided in 
the design of the hardware or the operation. 
Manned space programs have one asset not 
enjoyed by unmanned space programs; this 
13 the crew member and his abilities to 
observe, assess and rationalize system mal- 
functions or unscheduled events during the 
course of the mission. I would like to defer 
any reference co specific unscheduled events 
or accidents that have taken place; however, 
to make a paint very clear as to the value of 


this asset reference is made to the flight of 
Apollo 13. Specifically, the capability of crew 
members to establish a lithium hydroxide 
system as a part of the life support system 
when standardization of lithium hydroxide 
canisters for all crew quarters, LEM and 
Command Module, was not a part of the sys- 
tem design. This was an onboard fix and was 
in part a real contributing factor to decreas- 
ing the risk associated with crew survival. 

To present the degree of system safety 
application that is considered essential to the 
safety of mission objectives, for both pro- 
grams, consider first the common aspects and 
then review the details and differences that 
are required for the individual programs. 

The safety objectives common to both 
manned and unmanned programs are; 

Initial System Safety Planning 

1. Understanding the program objectives. 

2. Identify gross hazards associated with 
the hardware concept. (Gross Hazard 
Analysis) 

3. Establish baseline safety design cri- 
teria. 

4. Draft the system safety program plan 
commensurate with the program objec- 
tives. 

The Design Phase 

1. A ialysis of systems and subsystems. 

2. Detailed safety design requirements. 

3. Hazard reduction program. 

4. Management visibility to risk. 

5. Flight crew procedures. 

The Hardware Build and Test Phase 

1. Review of procedures (manufacturing 
and test). 

2. Test crew certification and training. 

3. Review of tests' data. 

4. Launch procedures' review, 

5. Launch operations (KMI 1700.1 and 
AFETR 127-1). 

6. Flight procedures. 

7. Crew Training. 

The Mission Phase 

1. Contingency plans. 

2. Emergency procedures. 

3. Simulations. 
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Having considered the commonalities, we 
have to come to one conclusion and that is; 
the technique is the same. The real differ- 
ence lies in the degree and requirement for 
applying the techniques to the individual pro- 
grams. Looking at the Program Planning 
Phase we find the following: 

Initial System Safety Planning 

1. Understanding the program objectives, 

2. Identify gross hazards associated with 
the hardware concept. (Gross Hazard 
Analysis) 

3. Establishing baseline safety design cri- 
teria. 

(a) Design Handbook (AFSC/NASA DH 
1-6 and DH 1-X). 

(b) NASA Accident/Incident Summaries, 

4. Draft the system safety program plan 
commensurate with the program objec- 
tives. 

In the unmanned program the crew is 
essentially the science committee and Mission 
Control on earth, and all efforts are concen- 
trated on obtaining scientific data through the 
use of automated spacecraft. Therefore, the 
role of system safety must interface with the 
science authority to the extent necessary to 
acquaint the scientist with the fact that system 
failure of hardware designed to launch and 
deliver science experiments to their desti- 
nation is as important as the experiment itself. 
Further, it must be understood that the data 
acquisition of science hardware is still the 
scientist domain; however, the mechanisms 
that deploy it, energy and power for it, as 
well as the communication link between ex- 
periment and earth, interface with transport- 
ing hardware and therefore becomes a matter 
for system safety as well as engineering. 
However, with a manned system the crew con- 
sists of the Flight Crew and Mission Control 
and the safety effort concerns Itself with pro- 
tecting the crew as well as the scientific 
objective of the mission. System safety that is 
concerned with a manned system must under- 
stand the crew complement, the mode of oper- 
ation of the crewman; i.e., suited/unsuited, 
IVA/EVA and, in general, what tasks the 
crewman will be required to perform. To be 
more specific in this area, what task will 


require a suited mode. Is there a requirement 
for a fire extinguisher system ind caution and 
warning system; what requirements are speci- 
fied for material controllability (such as, 
NASA Document No. MSFC Spec 101B, ’’Spec 
Flammability, Odor, and Offgassing Require- 
ments and Test Procedures for Materials in 
Environments which Support Combustion”), 
and any other program objectives or mission 
constraints. 

During this initial planning phase, system 
safety must identify the gross hazards asso- 
ciated with the conception design of the hard- 
ware and the preliminary mission planning. 
The gross hazard analysis is a requirement 
that must be accomplished by both the manned 
and unmanned missions. It is performed to 
obtain the initial safety evaluation of the 
program. The primary objective is to provide 
the basis for subsequent system safety task, 
safety criteria and other requirements that 
must be established. 

When the gross hazard analysis has been 
evaluated, safety must generate the baseline 
safety design criteria to be used during the 
detailed design phase. Since, at this point 
in time, we should know what the concep- 
tion design will be we can now review the 
AFSC NASA DH 1-6, DH 1-X, and the NASA 
Accident/Incident summary documents to 
establish our baseline safety design criteria. 
If we have criteria availability problems, 
we may use the AFSC NASA DH 1-6 infor- 
mation sources listings. Through this listing 
we may contact knowledgeable people in the 
technology field of interest for new criteria 
being developed in laboratories that may be 
useful to our program. After having developed 
an understanding of the above data we now 
can generate a system plan that is commen- 
surate with the program objectives which is 
cost effective and will provide us the safety 
necessary to mission success. 

The Design Phase 

1. Analysis of systems and subsystems. 

(a) Baseline. 

2. Detailed safety design requirements. 

(a) Update baseline incorporating pro- 
gram peculiar criteria. 

3. Hazard reduction program. 

(a) Hazard Catalog. 

(b) Safety Assessment Reports. 
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4. Management Visibility to risk. 

(a) Design Reviews (PDR, CDR). 

(b) Management Reviews. 

5. Flight crew procedures. 

(a) Mission Rules. 

When the program enters the design phase 
the safety engineer begins updating and ex- 
pansion of the gross hazard analysis that was 
conducted during the initial program planning. 
Many references are available on the types of 
analysis which are applicable to this expan- 
sion. When the system safety engineer under- 
stands the mission of the unmanned program, 
he is in a better position to select the safety 
analysis method most applicable to the science 
package and all of its ramifications as it 
effects microbiology, terminal sterilization, 
and the varying degrees of hazards introduced 
by fully encapsulated spacecraft which are 
armed, loaded and pressurized prior to reach- 
ing the launch pad. Risk and hazard assess- 
ment play an important role since you can 
no longer depend on procedurally controlling 
hazardous configurations and the introduction 
of hazardous materials or devices as late in 
the countdown as possible. System safety risks 
are now beginning to present themselves at the 
laboratory and it is at this point in time that 
effective system safety analysis and the con- 
clusions of those analysis can preclude poten- 
tial hazards evolving later in the program. 
Therefore, safety priorities are established for 
the hardware used to acquire scientific data 
as well as the hardware and operations that 
will deliver it to its destination. 

The scientific community identifies what 
it wants to accomplish, where on the planet 
it can best make its acquisition, and what it 
believes the results should be. To get them 
there becomes the challenge confronting engi- 
neering. Engineering now has to work the 
problems of transporting and deploying the 
science package and this includes, providing 
the capability to automate and control the' 
spacecraft to Its final destination and to sup- 
port the life cycle requirements of the scien- 
tific objectives. The system safety role for 
unmanned space programs now must consider 
the hardware and operational interfaces asso- 
ciated with both the role of science and the 
role of engineering. Although the system 
saiety analyses of subsystems and systems 


are common to both manned and unmanned 
programs, it can be identified that the degree 
of analyses and the tradeoffs on the analytical 
results that identifies hazards are somewhat 
different. Redundancy for precluding single 
failure points on critical spacecraft system 
operating modes becomes a priority since 
crew participation is not available. Therefore, 
all critical or catastrophic hazards identified 
must be eliminated because the degree of risk 
is unacceptable for mission success. Onboard 
repair and/or flight plan revisions are not 
a negotiable tradeoff for unmanned flight and 
this dictates that system safety analyses con- 
sider the system reliability criteria to be 
verified during environmental testing and qual- 
ification and checkout of systems when cate- 
gorizing the hazards identified as a product 
of the analyses that are performed. The sig- 
nificant point to be made here is that system 
safety engineers must recognize and under- 
stand the success criteria for environment 
and qualification testing of systems and that 
such criteria is equivalent to or exceeds the 
safety of design requirements or margins to 
insure the system is not unsafe and will not 
in itself be the cause of mission or mission 
objective loss. 

The system analysis that is selected for 
the manned program must provide a smooth 
transition into the operational hazard analy- 
sis used during the operations phase of the, 
program. This requirement is a must to in- 
sure that hazards identified during the design 
phase that cannot be removed by design can be 
flagged until they are solved by procedure 
and/or caution and warning systems. As an 
example, the next two slides (3 and 4) show 
an experiment on each of the programs (Viking 
and Skylab). The Viking soil sampler must 
work every time, and if it does not, there is 
no one to fix it. However, the Skylab Experi- 
ment T025 extends through the Scientific 
Airlock of the Workshop and if it cannot be 
retracted a flight procedure provides for 
a crewman to jettison the extension boom 
overboard. Hazard reduction programs are 
essentially the same for both types of space 
missions. However, with unmanned missions 
you have the added responsibility to con- 
sider long term transcruise modes to planets. 
(For example, Viking is 360 days.) This as- 
pect is a serious consideration of science. 
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management and engineering and should be as 
important to the safety role when searching for 
system hazards and providing recommen- 
dations for the reduction of hazards or risks 
to the mission. Will it work when it gets there 
is the responsibility of engineering, but will 
it work safely is still a priority and system 
safety should apply the "what if" technique 
and make a contribution by revealing any 
discovery of potential hazards to the respon- 
sible design engineering agency. Earth bound 
accidents have been caused by some rather 
unique nonoperational conditions. Stress cor- 
rosion, decomposition of materials during 
long term storage, and ordnance explosions, 
to cite a couple of examples. These examples 
are of the obvious types; however, system 
safety engineers make a contribution by fer- 
reting out the not so obvious conditions that 
could cause accidents and this is a very sig- 
nificant system safety role when you consider 
the length of time associated with the unmanned 
mission versus manned missions. The reduc- 
tion of hazards can be substantial providing 
early identification can be accomplished. 
Therefore, system safety analyses and haz- 
ard reduction programs are interdependent 
and you cannot be effective by accepting one 
and not the other. There is an old adage; 
"Where there’s smoke, there's fire," and so 
with unmanned aerospace systems there is 
always good reason to be concerned about 
that which you cannot manually control or 
have visual observation and human capabili- 
ties to secure before the not so obvious 
becomes the obvious. 

As the safety analysis progresses, new 
requirements are necessary and at this point 
the updating of the baselined design require- 
ments must be accomplished. If this is not 
done problems that have been solved continue 
to appear causing much effort in looking for 
solutions. 

This approach results in the system safety 
discipline engaging in the task ot establishing 
safety requirements and margins based on 
what needs to be done or what will be done 
rather than being totally engaged in monitoring 
for inclusion of existing requirements. These 
design safety requirements are extremely 
important when you consider that each space- 
craft weight saving made during spacecraft 
design development is an opening for Inclusion 


of additional science experiments and this 
substantiates the reason for the interfacing of 
system safety with the scientific community. 

With the safety analysis and design re- 
quirements completed for basic design reviews 
the operating methodology for hazard identi- 
fication and control is done in two different 
ways. For the unmanned program the Hazard 
Catalog (HC) is used as a summary of the 
hazards that have been uncovered by the analy- 
sis and have not been solved. The manned 
program uses the Safety Assessment Report 
(SAR) to evaluate each hardware system. Why 
the difference - the unmanned program is 
usually very complicated, but uses very few 
contractors, one procurement agency, and all 
of the hazards can be cataloged in one docu- 
ment; whereas, the manned program, Skylab, 
has four major modules, sixty experiments, 
and over 20 contractors, working with five 
NASA centers which makes it much easier to 
use the Safety Assessment Report. 

The design reviews (PDR, CDR, TDR) is 
the place where the SAR and HC are reviewed 
with the hardware design to assure all hazards 
have been identified and action taken to cor- 
rect those identified as catastrophic (see 
Mil-Std-882), The remaining identified hazards 
are presented with recommendations for cor- 
rection. The correction can be a redesign, 
a safety device, or procedure controls. Here 
caution should be taken in the unmanned pro- 
gram, a procedure fix is nearly always ruled 
out, a safety device should be used with cau- 
tion since it may have to be removed, there- 
fore, either redesign or accept the hazard 
and assure it is flagged in the hazard catalog. 

The flight procedures are now considered 
and if this term is used to include the ground 
(Mission Control) and Flight (Crew) proce- 
dures, it can be seen that both programs need 
the Mission Control procedures; whereas, only 
the manned program require the Flight Crew 
procedures. Taking the SAR, HC, and outputs 
of PDR's, CDR's and TDR's we must see that 
they are provided as Initial input at this time 
to these procedures. 

Progressing through the development of 
the programs the next phase is the; 

Hardware Build and Test Phase (Slide 11) 

1. Review of procedures (manufacturing 
and test). 
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2. Test crew certification and training. 

3. Review of tests' data. 

(a) Special Test (Vacuum Chamber!. 

(b) EMI - Environmental. 

4. Launch procedures' review. 

5. Launch operations (KMI 1700.1 and 

AFETR 127-1). 

6. Flight procedures. 

(a) Emergency Procedures. 

(b) Contingency Plans. 

7. Crew Training. 

(a) Simulations. 

(b) Training Hardware. 

The procedures that will be used during 
the build and tests are subjected to a safety 
review regardless of the type of program. 
In most cases these procedures are reviewed 
by both System Safety and Industrial Safety 
engineers. Another area that is considered is 
the training and certification of the personnel 
that will manufacture, test and checkout the 
hardware. 

The training of personnel required for 
manufacturing, handling, inspecting, testing, 
and launching of space programs assures 
their capability for competently performing 
the required program functions. The cer- 
tification encompasses system knowledge, 
training course completion, adequacy of indi- 
vidual and crew capabilities. To assure prod- 
uct integrity through all phases of develop- 
ment, test, and operation, it is mandatory 
that all activities which contribute to pro- 
gram success are performed by certified 
personnel. 

Mll-Std-882 recognizes the importance of 
operational and maintenance personnel train- 
ing and crew qualifications and certification 
by requiring them as part of the sytem safety 
program. 

Proceeding into the test program the safety 
engineers are concerned with the tests' per- 
formance and the data derived from same. 
Specifically, special tests such as, vacuum 
chamber, simulations, aircraft zero-g (KC 
135), vibration, etc., are tecta where the 
safety engineer can learn much about the 
hardware that is not built. The teBts can vali- 
date the criteria that was used, and more 
importantly, the data can assure that the 
procedural requirements to be Imposed during 
launch and mission are valid. 


System safety has now progressed from 
the initial program concepts to hardware that 
is built and tested and now ready to perform 
the mission. 

The hardware is now transported to the 
launch center to be mated with the launch 
vehicle. If the safety engineer has performed 
his tasks throughout the program this becomes 
a routine step, however, invariably it is found 
that someone has not complied with KMI 
1700.1 and/or AFETR 127-1 and many prob- 
lems now occur with Range Safety. It is imper- 
ative that compliance with the range documents 
begin during the hardware design and continue 
throughout the program. The requirements for 
the unmanned program should be subjected to 
a very strenuous review due to the fact that 
many times ordnance must be installed, pres- 
sure systems require charging, and power 
systems must be hot prior to movement to 
a launch pad. Usually the manned program 
does not require these hazards to be intro- 
duced until the countdown for launch has 
begun. 

The launch and flight crews have been in 
training for quite some time at this point; 
however, the training and simulations become 
much more strenuous during this period. The 
emergency procedures must be validated, 
through simulation, and finally corrections 
made. The contingency or backout procedures 
have to be practiced and finalized. This is the 
time that system safety checks the HC or SAR 
to assure all hazards that have been identif 1 
during the program are closed. The closed 
action may be redesign, procedure or program 
decision to fly with, regardless of how all 
items n it be closed out. Now, and only now, 
is syste... safety ready at the Launch Readi- 
ness Review to report to program management 
that vehicle is safe and ready to commit to 
the mission, with known safety factors and in 
the cases where total close out of the hazard 
has not been accomplished, the degree of risk 
that is being accepted. 

Management visibility to non-acceptable, 
as well as acceptable risk, is in the final 
analysis the product of an effective system 
safety program for either the manned or 
unmanned program. Rarely has management 
overlooked high risk areas of inherently haz- 
ardous materials, systems or operations, 
when identification of the hazards were made 
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known and the proper controls, required pro- 
cedures, and devices were provided to control 
the risk. Conversely, management has been 
a victim of high cost losses and liabilities 
due to phenomena that was not controlled 
because of lack of information on risks, and 
cost constraints where the hazards are not 
identified early in the program. 

The mission phase now becomes another 
major step, and the difference between the 
two programs are extreme. 

The Mission Phase 

1. Contingency plans. 

2. Emergency procedures. 

3. Simulations. 

In reviewing our two programs (Skylab 
and Viking) for their particular missions 
we find that the initial launch of Skylab is 
in reality an unmanned program. The Work- 
shop is launched and mechanisms must oper- 
ate, such as , the Apollo Telescope Mount (ATM) 
must unfold from the stowed position to the 
operational position, without a crew aboard to 
make any visual observations, or take any 
corrective actions. However, if the deploy- 
ment systems were to malfunction there still 
remains the contingency plan whereby the 
crew may be able to rendezvous with the 
laboratory and fix the malfunctioning part of 
the system. This is where our simulations are 
so important because we could simulate the 
actions to repair the system on the ground 
before launching the crew. 

Considering a similar case for the un- 
manned program where no crew is pro- 
grammed to rendezvous if the systems did not 
work the total mission would probably be lost. 
For instance, considering Viking, if after 
launch and the long term transcruise to the 
planet, the orbiter and the lander did not 
separate properly, we would In all probability 
lose the entire mission. Some contingency 
planning, redundancy in the unmanned systems 
is possible, however, there is no alternative 
for the benefits of crew member/equipment 
Interfaces. 

In order tc compare the manned versus 
unmanned programs, a summary of the dif- 
ferences is in order. 

1. The safety programs consist of essen- 
tially the same elements. 


2. The real difference are the tools used 
and the extent of application. 

3. Both programs require safety to begin 
in the conceptual phase. 

4. The unmanned program requires more 
interfacing with the science community 
than does the manned program. 

5. Both programs require design require- 
ments. 

6. Hazard analysis is a requirement of 
both programs; however, the method 
of presentation of the results is dif- 
ferent: 

Manned —Safety Assessment Re- 
port 

Unmanned — Hazard Catalog 

7. The manned program does require a 
review of crew procedures and flight 
training requirements where the un- 
manned does not. 

8. The mission phase is entirely different, 
whereas, the manned program does 
require flight contingency plans and 
emergency procedures, the unmanned 
program does not. 

In conclusion, it is quite evident that the 
system safety principals applied to both pro- 
grams are a contributing factor to mission 
success. The discipline certainly has more 
than adequate support of top management, and 
the results are effectively implemented at the 
hardware build and test level by technicians 
once the system safety requirements are 
known. The key to its success, however, is 
the middle management acceptance and en- 
dorsement. Design engineering, planners, 
project engineers, systems managers, etc., 
can and will inhibit a successful system 
safety effort if they don't understand the 
following: 

1. System Safety objectives, 

2. System Safety differences as it relates 
to Quality Control, Reliability, and 
maintainability. 

3. System Safety as a contributing check 
and balance against oversights. 

4. That successful program manage- 
ment responsibilities includes hardware 
safety and they should avail themselves 
of the results of the system safety 
tasks. 

It has often been said; "We always have the 
assets and resources to do it the right way 
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the second time - why not do it right in the 
first place." System safety, when it is per- 
mitted to function, is cost effective, con- 
tributes to mission success, and is a needed 
discipline. If it is not, then Industry and gov- 
ernment are going to have to continue with 
programs of accident and risk correction, not 
accident incident prevention or risk control. 
There is a lot at stake on Skylab and Viking 


that cannot be measured in dollars and cents. 
National prestige, lives of crewman, and scien- 
tific data that may hold the key to man's very 
existence - what a price to pay, for just one 
accident or mission failure that is within the 
realm of our ability to predict, take action to 
correct and to control the level of risk we 
must take to progress to the next plateau of 
space exploration. 
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Early this year, the fundamental design 
concept of the Lunar Seismic Profiling (LSP) 
Experiment was challenged when a mode of 
operation on the lunar surface was identified 
which could conceivably result in the detonation 
of high explosive charges before the departure 
of the Apollo 17 astronauts. A3 a quantitative 
analysis of the problem was beyond our capa- 
bility at the time and as the effects of an ex- 
plosion on the lunar surface are unpredictable 
from a safety viewpoint, we found it necessary 
to report the problem to the Manned Space- 
craft Center as potentially "Safety Cata- 
strophic" as defined by NASA directive and by 
our own LSP System Safety Plan. 

In this paper, I will attempt to track through 
the sequence of events, mainly as they relate 
to the system safety discipline, which resulted 
ultimately in the reduction of this potential 
hazard to "Safety Negligible." For the sake of 
brevity, I have minimized the discussion of 
the test results and some of the second order 
effects related to the operations of the hack 
watches. 

The object of the LSP (Figure 1 ) is to uti- 
lize artificially Induced seismic energy to 
investigate the physical characteristics of the 
lunar structure. It will be deployed on the 
surface of the moon during the Apollo 17 mis- 
sion. Eight packages containing explosive ma- 
terials ranging from 1/8 to 6 pounds will be 
set out at distances up to 3.5 kilometers from 
the Apollo Lunar Surface Experiments Pack- 
age Central Station which will be erected near 
the Lunar Module. The packages are activated 
by the astronauts as they are set out by re- 
moving pull pins which initiate internal timing 
functions. (Figure 2) 

From a safety viewpoint, the key com- 
ponents of each explosive package are the 
timers, two per package, which establish the 
conditions permitting the conversion of a fir- 
ing command from the Central Station into 
the detonation of an explosive package after 
departure of the astronauts from the lunar 
surface. The timers are completely mechanical 
and each contains a modified military "hack" 
wrist watch movement which controls the 
advance of a timing drum to a position whe; e 
the output function is initiated. The timers 
are preset and there are no controls or ad- 
justments to be made during the mission. 
It remains only for the astronauts to remove 


four pull pins to start the watch movements 
and to remove the mechanical, ledundant in- 
flight sate..y features when the packages are 
in position on the lunar surface. (Figure 3) . 

When the safe/arm timer actuates, it 
moves a slide from a position in which it pro- 
vides complete physical isolation of the end 
detonating cartridge (EDC) from the explosive 
block to a position in which a hole in the slide 
lines up to expose he explosive block to the 
EDC. This provides a propagation path to 
detonate the package. If for any reason deto- 
nation does not occur and the package is still 
intact after two hours, the timer will cause 
the firing hole to slide past the EDC, thereby 
permanently isolating the EDC from the ex- 
plosive block. 

One hour after the safe/arm timer ope is 
the firing time window, the battery timer re- 
leases a firing pin which strikes a percussion 
primer in a thermal battery. The heat gener- 
ated within the battery as a result of this 
action liquifies a normally solid material, 
creating an electrolyte which activates the 
battery for a period of approximately three 
minutes. With power applied to the receiver, 
decoder, and capacitive firing circuits, the 
explosive package is capable of responding to 
a firing command from the Central Station. 

Early in the preliminary design phase of 
the timers, it was recognized that environ- 
mental conditions to which the watch move- 
ments would be exposed on the lunar surface 
would cause an increase in the amplitude 
of their balance wheels; this could cause 
"overbanking" and result in large timing 
err^s and premature initiation of the timer 
functions. 

The terms "balance wheel amplitude" and 
overbanking" are fundamental to the problem 
and require a short description of the operation 
of a u.echanical escapement watch movement 
(Fig 'm; 4 ) such as most of us still wear on 
our wrists. It should be made clear that tuning 
fork and quartz crystal regulated movements, 
which we all will see more and more or as 
time goes cn, are not pertinent to this dis- 
cussion. 

Timekeeping in a watch movement is actu- 
al' performed by controlling the rate of dls- 
f atlon of energy from the colled mainspring 
through a gear train. The Conti's’ .'unction is 
provided by the balance wheel and hairspring 
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assembly which, when properly adjusted, oscil- 
lates In simple harmonic motion. The timer 
hack watch, per common practice, oscillates 
at a rate of five times per second. 

To define the terms previously mentioned, 
the measurement of angular displacement of 
a point on the rim of the balance wheel as it 
oscillates is the "amplitude" and is measured 
in "turns." The amplitude of a given watch 
movement is a function of its mainspring 
torque characteristics and is not adjustable. 
The maximum amplitude in any watch move- 
me must be less than that which would cause 
the balance wheel to come around full swing 
and contact the escapement from the opposite 
direction. If this were to occur, the harmonic 
motion of the balance wheel would be disturbed 
by the rebound off the escapement and the rate 
would increase, causing the movement n run 
faster than normal. This con' ion, knov- as 
"overbanking," is never encountered in a nor- 
mally operating watch here on Earth. 

However, we have reason to suspect that 
astronaut wrist watches overbank. In an un- 
official poll conducted at our request, when 
this problem first arose, most of the astro- 
nauts who were questioned responded that they 
noticed a tendency fo^ their watches to run 
fast during a mission, and one was willing to 
estimate approximately plus twenty minutes 
per day. We might also note that, typically, 
the maximum possible amplitude of a fully- 
wound watch would be 1 3/4 turns and the 
operating amplitude would be 1 1/2 to 1 5/8 
turns with the balance wheel axis vertical 
(watch lying flat). With t .e watch on edge, the 
typical amplitude would be 1 1/4 to 1 3/8 turns 
due to increased balance staff pivot friction *n 
this position. 

In most instrument applications of watch 
movements, the primary concern is not the 
amplitude of the balance wheel but the rote of 
the watch; whether it runs fast or slow, and 
how much. The designer is free to allow the 
amplitude t ( o fall within a rather large rai t 
a> it has only a second order effect on rate. 

In the I .SP Timer, where safety and reli- 
ability are of the utmost importance, highly 
precise timing is the second-order require- 
ment. We have determined that balance wheel 
amplitude, rather than rate, is the r>ore im- 
portant factor due to the unusually wide range 
of environmental factors under which the watch 


is required to perform, and by the fact that 
there are upper and lower 'Imits to usable 
watch amplitude. 

The lower limit which we have not as yet 
discussed is not a precisely fixed point by 
an ill-defined area of poorer and poorer oper- 
ation as the amplitude decreases. This is a 
condition v.hich wr <*rthbound people can 
relate to as this is exactly what happens to 
our watches when we fa . to take them in for 
periodic cleaning. The lubricant gumr- up, 
the internal resistance of tne mechanism in- 
creases, and, as there is no compensating 
increase In mainspring toique, less energy 
is transferred Into the balance wheel and its 
amplitude decreases. This results in due 
course in noticeably large timirg errors, 
erratic operation, and ultimately, inability of 
the watch to run at all. Low temp rature has 
the same effect in that it causes the watch oil 
to congeal. 

When the overbanking problem was origi- 
nally presented to us by the timer subcon- 
tractor, they were unable ox unwilling to 
predict the magnitude of the resulting tin ing 
error. They would c.tly say that the watches 
could conceivablv run "several times faster 
than normal". Th; main reason this con- 
servative approach probably was t’.eir total 
lack of quantitative information on the effect 
of th. lunar gravity. 

On our part, we had established a nominal 
90-hour runout time requirement in order to 
maintain a 1.5 safety factor, or thirty nours, 
between the contingency lift-ov* time of the 
LM and che detonation of the first explosive 
package. We viewed any significant inroad on 
the safety margin with alarm and, for a time 
before we could put everything in proper per- 
spective, were fearful that we did not have 
a viable design concept. The steps that we went 
through In getting to where we are today are 
noted in Figure 5. Each will be discussed 
briefly in turn. 

The subcontractor had little difficulty in 
verifying that the problem was a real ore. 
There w test experience from other pro- 
grams to draw on which indicated that tem- 
perature and pressure were factors and the 
condition was demonstrable by the application 
of excessive torque to the mainsprings of 
randomly selected watches through their wind- 
ing stems. Y.ou are all welcome to duplicate 
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this experiment on your own watches, but see 
your local watch maker, not me, if you shear 
off your winding stem. 

I would like to show you at this point the 
form used to document this problem (Figure 6) 
within our program. Although the concept for 
the form and its format is my own, most of 
the checklist items are the work of Mr. J. 
Richey of Bellcomm, Inc., and were taken 
from a paper presented by him to the Wash- 
ington Chapter of the System Safety Society 
on June 19, 1969. Normally, this form is used 
as a rough worksheet and has two purposes. 
First, it is intended to stimulate the imagi- 
nation both of the System Safety Engineer and 
whomever he is trying to extract information 
on a problem. Second, it provides some kind 
of record of all the chaff we sift through in 
evaluating a problem, particularly the negative 
ones which are otherwise not documented. 
The form has been reasonably successful and 
has been adapted to other areas than manned 
spaceflight. 

It seemed prudent, after overbanking was 
verified as a problem, to review alternate 
methods of providing the timing function for 
the LSP. Other methods had been considered 
and rejected in trade-off studies from which 
the selected design evolved. In the light of 
an overbanking problem of unknown magni- 
tude, they might have appeared more attrac- 
tive on second look. I won’t belabor this effort, 
for all the potential candidates were still 
unattractive for various reasons, primarily 
weight and reliability. However, none could 
have scored as high on safety as the concept 
of two completely Independent mechanical 
timers that could be initiated only by the 
astronauts during EVA. For once, the re- 
quirements of safety, weight, reliability, and 
volume were entirely compatible. We were 
convinced that we had the best design, if we 
could resolve tbe overbanking problem, and 
that a change at this point would guarantee 
nothing other than schedule slippage and cost 
overrun. We then chose to move on to the 
next step - to experimentally evaluate over- 
banking. 

It was originally predicted that amplitude 
would increase on the moon because of high 
temperature, high vacuum, and low gravity. 
Experimental determination of the effects of 
temperature and pressure was a relatively 


routine matter except for the necessity to 
adopt a state-of-the-art fiber optic instru- 
mentation system to measure balance wheel 
amplitude to the order of accuracy required. 

The real problem was In the evaluation of 
the effect of reduced gravity. It was known 
that balance wheel amplitude changes when the 
watch is changed from an edge position to 
a flat position because of changes in bearing 
friction. From this it could be inferred that 
the effect of gravity which would cause a simi- 
lar change in bearing friction is not negligible 
and that a substantial increase in balance 
wheel amplitude over the nominal earth value 
could be expected when the watch was oper- 
ating on the lunar surface. The question was. 
How much? 

A centrifuge test was initially performed 
to provide g vs. amplitude data in t. c approxi- 
mate range of 1 to 10 g and extrapolate back- 
ward to the lunary 1/6 g area. Not being con- 
vinced that this procedure was entirely valid, 
additional test methods were sought for cross- 
correlation. 

As a result, two other methods were 
proposed - low or zero g flights in the C-135A 
aircraft operated by the United States Air 
Force as a zero g test and research facility 
and in the 500 foot free fall zero g research 
facility operated by the NASA Lewis Research 
Center. Tests were ultimately performed at 
both facilities under the sponsorship of the 
NASA Manned Spacecraft Center, the procuring 
agency for the LSP Experiment. 

Although none of these three test ap- 
proaches were in themselves completely con- 
clusive, they all pointed in the same direction - 
that the increase in balance wheel amplitude 
under the influence of lunar gravity was no 
greater than one quarter turn. We thought at 
this point that we had the most important 
variable under control but, in fact, the most 
significant fact to be uncovered in the investi- 
gation was to come when the effects of pres- 
sure and temperature were investigated. 

The results, of these tests as presented in 
Figure 7 , substantiated the trend indicated in 
the initial tests, and a significant break point 
was found to exist in the 1 torr range. The 
maximum effect at 180° F, 1 torr, results in 
an Increase in amplitude of approximately 
1/4 turn. At the ambient temperature (ap- 
proximately 75° F) only one of the three test 
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movements showed any appreciable change in 
amplitude (1/8 turn). However, beyond 1 torr 
the slopes increase sharply and in the hot 
case, extend into the overbanking region. 

Another surprise was that our test results 
did not substantiate the traditional horological 
theory that aerodynamic damping significantly 
contributed to the total internal resistance of 
balance wheel system. This case had been so 
strongly made in our early discussions that a 
streamlined balance wheel was actively con- 
sidered at one point as a partial solution to 
the overbanking problem. Although our data in 
the range of aerodynamic interest is scattered 
and somewhat questionable in an absolute 
sense, the general slope of the curve as it 
approaches 1 torr is unrefutable and indi- 
cated that the change of amplitude is less than 
that which an expert watch maker can observe. 

The significant conclusion to be drawn 
from these tests is that, although maintenance 
of one atmosphere of pressure within the 
control module cavity is desirable for other 
reasons, non-catastrophic leak rates down to 
a minimum pressure of 1 torr during lunar 
operations have no great significance to the 
overbanking problem. 

The results of holding pressure constant 
and varying temperature correlate. Two series 
of tests were performed, at ambient pressure 
and in the range of 1 x 1G”4 torr. The sum- 
mary results, corrected to eliminate torque 
variations due to mainspring wind down, are 
presented in Figure 8. 

The effect of reduced pressure on the 
results of these tests are dramatic. Whereas 
a sharp point of inflection is displayed on 
the ambient curve in the 40-50° F range which 
renders amplitude essentially independent of 
temperature above this point, the vacuum 
curve rises steadily at a nearly constant rate 
and could cause a fully wound watch to over- 
bank above 150° F. This is demonstrated by 
the points plotted above the 13/4 turn line, a 
physical impossibility as the balance wheel 
amplitude cannot increase beyond the point of 
overbanking. These points result from large 
corrections on measurements made after the 
vacuum chamber (and the watches) ran over 
night to get down to test pressure. It may be 
inferred that, had the measurements been 
made immediately after winding the watches, 


overbanking would have been observed in at 
least two of the test watches. 

The close grouping of the data at the cold 
end of the curve suggests that pressure has 
little effect on amplitude at low temperatures 
but that there is almost a straight line rela- 
tionship between temperature and amplitude in 
the range from stoppage at -35° F (-20° F in 
a vacuum) to the point of inflection at 40-50° F. 

The final piece of information needed to 
evaluate the overbanking problem was related 
to mainspring torque characteristics. Main- 
springs provide higher torque when fully 
wound up, and less as they run down. A char- 
acteristic torque curve is shown in Figure 9. 
The erratic torque variations at the high end 
of the curve are eliminated by the use of a 
recoil click in the winding ratchet mechanism 
which releases a few ratchet teeth before it 
locks the mainspring ratchet after winding. 
The low torque of the low end is eliminated 
by providing a longer mainspring run than is 
required for the mission involved. The result- 
ing torque variations are thereby reduced to 
account for an amplitude variation of approxi- 
mately one quarter c r a turn. 

Tests were conducted measuring torque as 
a function of mainspring wind as expressed in 
number of turns of the mainspring barrel. This 
information was used in correcting other test 
data to eliminate torque variation due to main- 
spring position, and to establish a represen- 
tative slope, which turned out to be 4.4, to use 
in the presentation which follows. It should be 
mentioned here that the test watches used in 
this investigation were "set down" to a nomi- 
nal one turn amplitude by substituting a con- 
venient available mainspring from a smaller 
watch in the subcontractor's product line. The 
scope must be reverified in the 140 hour 
mainspring With which the production timers 
will be equipped. 

Figure 10 shows the method by which the 
test results were put together to arrive at D 
and E conclusion that overbanking is not a 
matter of concern during normal operation of 
the LSP timer. Normal operation of course, 
means a condition in which seal integrity is 
maintained and the watches are operating 
at a nominal pressure greater than 1 Torr. 
As the O-Ring seals, three in number, con- 
stitute single point failures the next step was 
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to determine the worst resulting timing error 
on the safety of the astronauts and on the 
probability of success of the experiment. 

This was accomplished by overbanking a 
watch under controlled conditions and meas- 
uring the resulting change in rate. By vary- 
ing the controlled condition a curve was con- 
structed of change as a function of overbank 
from which reliable predictions could be made. 
This curve is presented in Figure 11. 

On the left side of Figure 11 , it may be 
seen the application of a known torque to a 
fully wound down mainspring barrel resulted 
in the winding of the barrel to a point of equi- 
librium at which a certain balance wheel 
amplitude was attained. As the torque was 
increased incrementally, the barrel wound up 
further and the amplitude increased in a pre- 
dictable manner. When the barrel was fully 
wound the amplitude continued to increase as 
a function of applied torque until the maxi- 
mum amplitude was attained and the bal- 
ance wheel overbanked. Up to this point there 
was no timing error measurable with a stop 
watch. 

The curve continues on the right side of 
the figure but now, with the maximum ampli- 
tude attained and the watch running over- 
banked, the error rate becomes the dependent 
variable. Figure 12 repeats this portion of 
the curve as well as similar results for the 
other two test specimens. 

As amplitude has thus been demonstrated 
to be a function of torque, the incremental 
Increases in amplitude previously discussed 
can be converted to equivalent values of torque 
and, if combined in a rational manner, the 
resultant can be read out on the worst case 
curves in Figure 12 as a reasonable estimate 
of the worst timing error to be expected during 
lunar operations. This has been accomplished 
using graphical methods not discussed herein 
to account for the non-linearity of the torque 
curves in the overbanking range and to intro- 
duce a factor in the temperature effect based 
on the ratio of lunar gravity amplitude to 
earth gravity amplitude. Also accounted for 
and not previously discussed is the effect of 
an explosive package falling over on its side. 
After deployment the accumulative total of 
these worst case conditions is expressed 
as a maximum of 1750 grammillimeters of 


equivalent torque which may be converted 
to a maximum error of +120 minutes per 
day. 

However, the two watch movements in a 
LSP package are aligned in pianes at right 
angles to each other and only one of the two 
timers will be lying flat when the package 
is lying on any side. Thus the overbanking 
condition would be applied to one of the two 
timers. This failsafe condition would tend to 
cause a dud rather than a premature explosion 
since the timers must both be within their 
respective time windows for the firing oper- 
ation to function. 

Therefore, considering only a total seal 
failure as the worst case on edge condition, 
the maximum torque value is approximately 
1480 gram millimeters or an effort of plus 
40 minutes per day. Ignoring the decrease 
in torque over 90 hours, this works out to 
approximately 10% of the established 30 hour 
safety margin, and is the basis on which the 
potential hazard has been reduced to "Safety 
Negligible." 

Although the worst case approach has suf- 
ficed to resolve our safety concerns, it does 
little to resolve the residual reliability prob- 
lems. We are now at work developing a mathe- 
matical model of the balance wheel system 
to which we can apply our test results and 
predicted mission time line data to permit 
more meaningful analysis closer to the real 
case conditions which will actually exist. The 
O-Ring seal design is also under rigorous 
review at this time as a result of this inves- 
tigation. 

The remaining system safety task to be 
performed is indicated in Figure 13, which 
will ultimately become part of the safety 
assessment report for the LSP Experiment. 
We must establish the maximum torque and 
the slope of the production mainspring torque 
curve to assure lunar operation conforming 
to that presented in Figure 10 . It is now im- 
portant to establish tolerances on these num- 
bers which will assure safe and reliable per- 
formance of the LSP experiment yet will have 
an impact on production costs and schedules 
no greater than required to achieve this goal. 
This is the sometimes forgotten system safety 
task which can not be overlooked in our ever 
more competitive industry. The system safety 
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engineer must be as cost conscious as all the 
other engineering disciplines and must see to 
It that no more effort is being expended in the 
name of safety than Is necessary to achieve 
the desired results. 

In closing, I would like to express my 
appreciation to several people; to Mr. Charles 
A. Sauter of the Bulova Watch Company and 
Mr. Rene' Besson of Ebauches S.A., (Neucha- 


tel, Switzerland); to Mr. Jack Dye, The LSP 
Experiment Manager, without whose encour- 
agement I would not be here; to Mr. Donald G. 
Wiseman, Manager of the Lunar Surface Proj- 
ect Office at the Manned Spacecraft Center for 
Authorizing the presentation of this material 
and to Bill Scarborough, who bears the re- 
sponsibility for me being a System Safety 
Engineer. 
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SESSION V 

Questions & Answers 


MR. REX GORDON: John Gera, where do 
you draw the line between what you consider 
Industrial safety responsibilities and your 
operational industrial. Are the industrial safety 
responsibilities based on the talk that you 
gave? 

JOHN GERA: That is a tough one but the 
line is pretty well drawn in the area of the 
manufacturing hardware itself — the machin- 
ery. We consider the machine and the man 
itself, that is industrial safety as we see it. 
We start looking at the detailed processes and 
the machine and the man. We sort of lap that 
over into the system safety activity. 

REX GORDON: When you say machine are 
you talking about drill presses, etc.? 

JOHN GERA: Yes, I am talking about the 
manufacturing machinery itself. 

MR. GORDON: You mentioned that you had 
two plans. A system safety plan for operation 
and an industrial safety plan. 

MR. GERA: "Standards" 

MR. GORDON: "Standards." Who has the 
responsibility of the industrial safety standard, 
to prepare and implement it? 

MR. GERA: The industrial safety standards 
are prepared by industrial safety people and 
the control or checking to see that they are 
adhered to is also the responsibility of indus- 
trial safety. I'll throw one kicker in here. 
No. 1 is that on a program, the industrial 
safety people work for the system safety 
manager in our activity. 

MR. GORDON: They both report to the 

same manager? 

MR. GERA: That's right, they all report 
to one man who is assigned to the Program 
Manager for safety. Sometimes we get into a 
little problem as to, is this the responsibility 
of industrial safety or is it the responsibility 
of systems safety. The point I want to make is 
that the Job does get done whether it is by one 
party or the other. 

MR. GORDON: One additional question. 
You mentioned that you had contingency plans 
for all conceivable emergencies, is that true? 
How much effort does it take to keep them 
updated? Do you make changes in the System? 


MR. GERA: I stated that one way to do it 
is if you could identify every conceivable 
problem that you may have and when you do 
that then you would have to reduce that to what 
you consider credible and work on those ele- 
ments. If I misled you there I apologize. You 
can't in my estimation plan for every con- 
ceivable problem that could go wrong— I don't 
see how you can. 

MR. GORDON: Bill Scarborough, on the 

list of your functions, you start out with an 
analysis review, surveillance, tests and mis- 
sion support. Do you have any function to give 
safety criteria into the program? 

MR. SCARBOROUGH: I think that is in- 
herent in the analysis function, that is the 
feed back into the design stage or design 
function. I am not sure that I understand 
exactly what you mean. 

MR. GORDON: Where did the system safety 
effort start on the LEM Program? After the 
requirements had already been defined? 

MR. SCARBOROUGH: We started very late, 
like about 3 years after the design was firmed 
up. We didn't really make much of a contri- 
bution to design, to basic design. We have been 
on-board for all of the design changes since 
we came into existence, and we do feed back 
into the sub-systems engineering groups. 

MR. GORDON: Are you talking about com- 
ing on late with a formal program ? 

MR. SCARBOROUGH: Yes 

MR. GORDON: I assume there was some 
safety on it before that. 

MR. SCARBOROUGH: Yes there was a 

minimal effort. 

W. H. SHAW (TRW): The comment about 
contingency planning reminds me that there is 
an Important spin-off benefit to safety analyses 
that we find often gets overlooked. It could 
apply to matrix hazard analyses but partic- 
ularly to fault tree which is really before the 
fact or prior trouble-shooting. In systems that 
involve maintenance planning, continuously op- 
erated manned systems and even one- shot sys- 
tems that have activity at the cape, the output 
of the safety analyses is an extremely impor- 
tant and useful input to the trouble-shooting 
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procedures and maintenance manuals. We have 
found frequently that this is a real important 
spin-off that gets overlooked. 

BOB ROSSI (GSFC): Mr. Don Ward and 

Mr. George Mumma indicated a certain flexi- 
bility in the system safety analysis which was 
tailored to the mission and (please keep me 
honest if I am misquoting), however, in 
George’s presentation, I thought I detected an 
inflexibility at the point where he mentioned 
with respect to launch operations when he 
talked about 127-1 and 1700-1 and I am 
wondering, I have run afoul of these many 
times myself, what are your views regarding 
these documents, why shouldn't they be a little 
flexible? 

DON WARD: They are flexible really. You 
can get waivers but you have to show them 
where you need it and you have to show them 
that you are still safe. I don't think that these 
documents are necessarily the only safe way 
of doing something, and we have a couple of 
systems that we are going to ask for waivers 
op. One is a premature separation destruct 
system. We don't want to carry a destruct 
package all the way to Mars, and we think that 
we can show them that if this spacecraft 
should separate prematurely the engines cannot 
fire and it would follow a ballistic trajectory 
into the ocean. Hopefully we can get a waiver 
on that. I think from a mission standpoint we 
will be safer without it than we would be with 
it; and I tnink to answer your question, those 
documents are not inflexible, but you have to 
have a good reason for changing the way of 
doing business with them. 

QUESTION: A question for Mr. Jones on 
the system engineering of his seismic experi- 
ment. One of the basic requirements of system 
engineering is to identify the function, in this 
case the delayed arming function, and then you 
consider all alternate methods of accomplish- 
ing it and then select the one particular method. 
For many years in the naval mine business 
the delayed arming has been a required feature 
of the naval mines and I'm sure the same in 
many types of fuses. The question is, what 
are the alternate methods of delayed arming 
that were considered and did the safety aspects 
of each alternate enter into the decision to 
choose the hair-springer method of delayed 
arming. 


J. JONES: Primarily the alternate ap- 

proaches that we had were a series of other 
kinds of timers or the use of more than one 
transmitter. There is one transmitter in the 
system now. I didn't take the time to explain 
that but there are three functions that must 
occur in order to get it to firing. Each of the 
two timers must operate and they must operate 
within certain time constraints relative to each 
other, and finally a signal must be received 
from the central station. An obvious approach, 
and it would have been terribly heavy iri terms 
of weight, would be to use three transmitters 
which would mean three receivers in each 
package. There are eight packages so any 
weight penalty in the package is times eight. 
Still, from a safety viewpoint, we didn't like 
that because there are too many ways of 
generating spurious signals. The other alter- 
nate we had were other kinds of timing devices 
such as a tuning fork type watch or corts 
crystal regulated watch or using mission time 
and picking that up some how. All these fell by 
the wayside either because they were heavier 
or, in our opinion, less safe. What we selected 
we fell is the best, if we can make it work, 
and we are confident now that it will work. 

QUESTION: I was very curious about the 
cause of temperature effect. Is the hair spring 
temperature dependent or not? 

MR. JONES: It is not defined. Our watch- 
making consultants are scratching their heads. 
There are several theories. The most viable 
one right now probably has to do with surface 
tension of the lubricant. Something else that I 
couldn't possible stuff into a half-hour presen- 
tation is that the lubrication problems are 
extremely difficult and that in itself is a two- 
hour presentation. 

QUESTION: You have an oil type lubricant 
on a jewel bearing. I thought jewel bearings 
ran oil-free. 

MR. JONES: No, all small watch mecha- 
nisms such as this do have wet lubrication. 
The particular lubricant that we are using 
costs about $10,000 a gallon and reliability 
is going nuts trying to get tracabillty all the 
way back to Switzerland on it. It is good, it 
works, and we are really quite surprised at 
the results of our temperature tests. 
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INTRODUCTION 

At Idaho Nuclear*, a system safety analysis 
program is in existence for the routine safety 
and reliability analysis of control and safe- 
guard (backup) systems. Though the systems 
analyzed are generally peculiar to the reactor 
industry, the methods employed, and their 
applications, are generally utilizable in any 
safety program. In Idaho Nuclear's safety 
program, a diverse assortment of techniques 
are employed, such as fault hazard analysis, 
failure mode analysis (FMEA and FMECA), 
failure matrix methods, block diagram model- 
ing, and fault tree methods. The fault tree 
method and its applications in particular are 
discussed in this paper, since this technique 
enters into a large portion of the safety analy- 
sis performed at Idaho Nuclear. 

Fault tree methods are used to obtain both 
qualitative and quantitative information about 
the safety and reliability of the system an- 
alyzed. For the analysis, the fault tree depicts 
all the primary causes for a particular system 
failure (or accident occurrence). The system 
failure or accident occurience is the top event 
of the fault tree. The primary causes are 
usually component failures, administrative 
errors or environmental conditions; in gen- 
eral, the primary causes depict the resolution 
desired for the causes of the system failure 
or accident occurrence. By use of the standard 
"AND" gate and "OR" gate symbology, the 
fault tree depicts the logical relationships of 
the primary causes, and their consequences, 
which led to the specified system failure (or 
accident). Figure 1 at the end of this paper 
summarizes the basic fault tree representa- 
tions. For a discussion of the fault tree 
method, the reader is referred to Haasl(l) 
or Crosetti(2). 

At Idaho Nuclear the fault tree analyses 
are performed for the following objectives; 

1. To represent in an objective and com- 
municative manner the causes of the 
system failure or accident occurrence. 

2. To obtain the modo<? by which the sys- 
tem failure or accident occurs. These 

' .j of July 1, 1971, Idaho Nucjear ill be under the 
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modes are termed "critical paths" in 
fault tree terminology. 

3. To determine the relative importances 
of the individual critical paths. 

4. To determine the qualitative and quanti- 
tative impact on safety or reliability 
due to proposed design modification 
or component upgrade. 

5. To determine the quantitative response 
of system availability with regard to 
particular maintenance schemes. 

6. To determine the quantitative safety, 
reliability, or availability with which 
to compare to established stand- 
ards. 

The fault tree itself satisfies the first 
objective since it portrays in a lucid manner 
the logical chains of events which lead to the 
system failure or accident. The fau 1 fee, 
once drawn, is an effective implement b. ; vhich 
management, reliability or safety engineer, 
and design engineer can communicate. 

From the fault tree, a simple qualitative- 
type evaluation determines all the modes, or 
critical paths, for the system failure or acci- 
dent. A critical path is a group of primary 
causes which must all occur in order for the 
system failure or accident to occur; if one 
of these primary causes does not occur then 
the system failure or accident will not occur 
by this mode. The complete set of critical 
paths for the fault tree gives all the combina- 
tions of primary causes which give rise to the 
top event. If one or more of these combinations 
occurs, then the system failure (or accident) 
occurs. 

A few simple illustrations may serve to 
best clarify the critical path definition. As- 
sume a fault tree has been drawn and Its 
critical paths have been obtained. If one of 
these critical paths is "Resistor 1 Failure in 
Mode A" and "Resistor 2 Failure in Mode B" 
then Resistor 1 must fail in Mode A and Re- 
sistor 2 must fail in Mode B in order for the 
system failure or accident to occur. If either 
resistor does not fail, or fails in modes other 
than A and B, then the top event (system 
failure or accident) will not occur by this 
nartic.ilar route. If one of the critical paths 
obtained is "Resistor 3 in Mode A", then only 
n -Hsror 3 foiling in Mode A is sufficient for 
..op event to occur, anu Resistor d in 
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Mode A" is termed a single failure. The set 
of critical paths obtained for this fault tree 
represent all those primary cause combina- 
tions, and only those combinations, which will 
cause the top event to occur. 

The critical paths are obtained from the 
fault tree by means of a number of existing 
safety and reliability computer programs; at 
Idaho Nuclear the programs PREP and KITT(3) 
are used. The critical paths are an important 
class of information since they directly tie 
the system failure or accident to the primary 
causes. If improvement is desired, the critical 
paths identify the specific areas which are the 
weakest and which would have greatest re- 
sponse to an improvement. In general, optimal 
improvement consists of increasing the size 
of the smallest critical paths. If the fault tree 
has one component critical paths (single fail- 
ures) improvement should be centered such 
that these paths become two component (a 
redundancy added), if two component critical 
paths are the smallest that exist for the fault 
tree, then they should be designed into three 
component critical paths and so forth. 

For the quantitative information in the 
preceding list of objectives of the fault tree 
analysis, the computer programs PREP and 
KITT are utilized. PREP and KITT employ 
the Kinetic Tree Theory approach to obtain 
quantitative information about the fault tree. 
The Kinetic Tree Theory technique has been 
described in a number of articles (4,5,6) and 
the details of this approach will not be dis- 
cussed here. 

The fault tree as drawn by the engineer is 
simply input into PREP and KITT. The only 
other data needed as input are the failure 
rates or probabilities for the primary causes 
(i.e., for the components and any environ- 
mental effects) and the average repair times 
for those primary causes that are repairable. 
With this input data, PREP and KITT obtain 
the critical paths of the fault tree and the 
following quantitative information; 

1. The probability that the failure or 
accident will not occur at all to time t. 

2. The probability of the failure or accident 
existing at time t. 

3. The expected number of times the fail- 
ure or accident will occur to lime t. 


4. The failure or accident frequency at 
time t (the integral of this quantity is 
simply the previous characteristic ( 3 )). 

5. The failure rate (lambda) at time t. 

This information is obtained for any series 

of time points t desired by the user, and hence 
time dependent curves are obtained which 
portray the time history of the reliability or 
safety. From these curves one is able to dis- 
cern, for example, the degradation of relia- 
bility or safety with respect to time; lifetime- 
type information is thus included in the results 
obtained. If a particular time is of interest, 
then one point from these curves is simply 
used. 

This time dependent information is obtained 
for each primary cause of the fault tree (i.e., 
for each component or environment effect), 
for each ci ideal path of the fault tree, and for 
the top event of the fault tree (the accident or 
system failure of interest). As applied to a 
particular primary cause, the information 
gives the frequency at which the primary 
cause occurs, the probability of the primary 
cause not occurring at all, the probability of 
the primary cause existing at time t, and the 
expected number of tirr es the particulai pri- 
mary cause will occur. If the primary cause 
is a component, the informadon thus gives the 
detailed reliability and availability of the 
component and shows, for example, the de- 
tailed effects of repair or environment stresses 
on that particular component. Since this in- 
formation is obtained for every primary cause, 
those primary causes, such as particular 
component failures or environment effects, 
which are most critical are readily identified. 

The information obtained for a particular 
critical path gives the frequency, expected 
number of times, etc., the top event (i.e., 
system failure or accident) will occur by this 
particular mode. The primary causes in the 
particular critical path are solely responsible 
for the system failure or accident and the 
obtained information describes how often this 
particular critical path, or mode, will cause 
the failure or accident. The information is 
obtained for each of the critical paths of the 
fault tree, and hence the most important 
critical paths are identified, those by which 
the failure or accident will most likely occur. 
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Any safety or reliability improvements will 
be directed to these "weak links". 

In addition to being obtained for each pri- 
mary cause and critical path, the five time 
dependent characteristics are also finally 
obtained for the top event of the fault tree. 
The characteristics give the frequency at 
which the system failure or accident will 
occur, the number of times it is expected to 
occur, and the probability of it not occuring 
at all. If the system analyzed is a safety 
backup-type system, this information gives, 
for example, the availability of the system, 
that is, the probability that the system will 
perform correctly when an accident condition 
exists. For an on-line operating system, the 
information gives the percentage of time the 
system will operate without failure in any 
time period. The information obtained is a 
complete characterization of the failure or 
accident for any particular situation analyzed; 
effects of repair, environmental stress, and 
administrative procedures are explicitly ob- 
tained. Since the information is time depend- 
ent, a complete history of the safety and 
reliability characteristics is yielded. 

The PREP and KITT codes obtain the 
time-dependent characteristics, by an analyt- 
ical technique which does not entail any Monte 
Carlo simulation. The codes require little 
computer time, for example, approximately 
two minutes of IBM 360/75 computer time is 
needed to completely analyze a 1000 component 
fault tree. For smaller trees the computer 
time is considerably less*. Because of the 
small computer time, sensitivity studies and 
design modification studies are practically 
performed. The failure rates, repair times, 
or particular portions of the tree are simply 
modified and the programs run again to assess 
these possible deviations. 

PARTICULAR APPLICATIONS 

This section describes particular fault tree 
analyses which have been performed at Idaho 
Nuclear. The specific, technical details of the 
systems are not described so that the reader 
is not encumbered with jargon with which he 


•The computer time is insensitive to the number 
of time points desired by the user. 


may not be familiar. The aim of this section 
is to demonstrate, as straightforwardly as 
possible, practical applications of fault tree 
analyses. By describing the results which 
have been obtained from these analyses, this 
section will hopefully illustrate the power of 
fault tree analysis and the role it can play in 
a system safety program. 

SPERT IV Protection System Analysis * 

The SPERT protection system is an elec- 
trical control system which has the function 
of shutting the reactor down when certain 
safety criteria are exceeded. In this particular 
instance, the system consisted of an automatic 
control (time triggered) and a manual backup 
control. If the automatic control system failed, 
a signal was relayed to an operating personnel 
who was then to initiate the manual control 
system (by pressing a control button). 

A fault tree was drawn for this system, in 
which the system failure (top event) was de- 
fined to be both the automatic control system 
failing and the backup manual control system 
failing, when accident conditions existed. In 
this case, an analysis was performed on an 
already existing system; the SPERT control 
system (automatic and backup) was operating, 
but an upgrade was desired. In order to up- 
grade this system, the following information 
bad to be obcained: 

1. An identification of all credible com- 
ponent failures and/or fault conditions 
that could result in the designated sys- 
tem failure, 

2. An identification of the most critical 
weaknesses in the existing system 
(termed the "base-line" system). 

3. A determination of the impact on sys- 
tem safety due to proposed design 
modifications. 

The fault tree was decided upon as the 
most practical method of obtaining this infor- 
mation. The fault tree analysis was performed 
independently of other safety analyses and 
was the major effort for this particular sys- 
tem study. 

The fault tree, once it was drawn, con- 
sisted of approximately 300 component failures 


*SPERT IV h> the name of a particular reactor. 
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and fault conditions (primary causes). The 
primary causes (the "bottom ends" of the 
fault tree) were basic component failures 
such as particular resistor failures, relay 
failures, and wire failures. Adverse environ- 
mental conditions on these components were 
also included in the primary causes. The 
resolution of the fault tree was therefore on 
a basic component level. 

A correct input to the automatic and 
backup control systems was assumed and 
the fault tree analyzed the causes for no out- 
put or incorrect output. Hence, the analysis 
isolated the "signal-passing function" of the 
control system. No human errors were con- 
sidered in the fault tree. Certain subsystems 
of the control system were periodically checked 
and this scheduled maintenance was included 
in the analysis. To draw this fault tree, a 
total time of approximately two man-weeks 
was required. This task thus required little 
time and effort. 

The fault tree itself and the critical paths 
determined by PREP and KITT yielded the 
first class of information in the preceding 
list. In the PREP and KITT computer run, 
failure rates (lambdas) were assigned to the 
components on the fault tree to determine 
the most import critical paths, i.e., to identify 
the most severe weaknesses in the system. 
The results of this run are shown below. 


Table 1 

COMPONENT FAILURE CONTRIBUTIONS 
TO A SYSTEM FAILURE 


Manual Control Failure 


Component 

Failure 

Contribution 

Relays (8) 

0.6477 

Console Switches (2) 

0.3076 

Terminals and 

0.0262 

Connectors (27) 


Wires (76) 

0.0185 


Automatic Control Failure 


Component 

Failure 
Corn. Ibution 

Timer (1) 

0.9927 

Relays (14) 

0.0071 

Terminals and 

0.0001 

Connectors (26) 


Wires (71) 

0.0001 


The above table lists only the major con- 
tributors to system failure; the numerous 
other components not listed had negligible 
contribution. From the table, if the automatic 
control system failed, 99% of the time it would 
be due to the automatic timer mechanism 
itself failing, while only 0.01% of the time it 
would be due to one of or more of the 76 
wires failing. If the manual backup system 
failed, 65% of the time it would be caused by 
one or more of the eight relays failing and 
31% of the time would be caused by one or 
both of the console switches failing. The 
critical area in the automatic system was 
thus the timer mechanism while the critical 
areas in the manual backup system were the 
eight relays and two console switches. 

From the identification of these critical 
areas, and from the critical paths and fault 
tree itself, which showed the interconnections 
these critical areas had within the system, 
modifications become evident which might 
upgrade the safety of the system. The modifi- 
cations were quite simple and consisted of 
1) placing a second relay in parallel with an 
existing one ("Modification 1"), and 2) Inserting 
a manually set timer in the automatic control 
circuit ("Modlf lea cion 2"). The impacts of 
these modifications were determined by two 
additional PREP and KITT computer runs 
which analyzed the fault tree with the modifi- 
cations inserted. The total IBM 360/75 com- 
puter time required for these two runs plus 
die original run was three minutes, which 
was negllble. The result of the Impact evalua- 
tions is shown in Figure 2 at the end of this 
paper. 
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In the figure, the "Failure Probability" is 
that both the automatic control system and the 
manual control system will fail in any one or 
more of the number of tests performed (a 
"test" here is simply an operation of the 
control system). For example, the failure 
probability at 200 tests denotes the probability 
of control failure in one or more of these 200 
tests. The "BASE-LINE" curve depicts the 
failure probability for the existing automatic 
and backup system, the "MOD-1" curve is for 
this system incorporating Modification 1 (de- 
scribed previously), and the "MOD-2" curve 
is for the system incorporating both Modifi- 
cation 1 and Modification 2. 

As evident from the figure, the proposed 
modifications significantly increased the safety 
of the control system. These modifications 
were made evident from the fault tree analysis 
and the impacts of these modifications were 
then able to be objectively determined from 
the PREP and KITT computer runs. Modifica- 
tion 1 (corresponding to the MOD-1 curve) 
was consequently decided upon as a change to 
be incorporated in the system which would be 
practical in cost and which would substantially 
upgrade system safety. 

Plant Protection System Pilot Study 

The system analyzed in this study is an 
on-line control system. Critical plant para- 
meters are continuously monitored and if any 
of these parameters exceeds safe operating 
limits the control system rapidly reduces the 
reactor power. The fault tree analysis was 
performed during the conceptual phases of 
system development. Three possible designs 
were proposed for the control system, and the 
fault tree analysis served the role of deter- 
mining the "best" system design out of the 
three proposed. The analysis Investigated both 
the safety and reliability of the designs; in 
fact, in this instance, if the system safety 
was the only characteristic examined the 
wrong design wQuld have been chosen. 

The fault tree analysis of the three designs 
was conducted on a functional level; the mini- 
mum component^ required to provide a discrete 
and separate function were considered as the 
basic building blocks of the system. This level 
of analysis was sufficient to define the pri- 
mary causes of failure on the fault tree. Any 


further detail was inappropriat e in this con- 
ceptual design phase and the functional level 
of resolution provided adequate information 
with a minimal expenditure of time and 
effort. 

Six fault trees were drawn for the three 
proposed designs, one fault tree considering 
reliability and one fault tree considering safety 
for each design. The studies were performed 
by system design engineers who were familiar 
with the concepts of fault tree analysis. Each 
fault tree consisted of approximately 70 com- 
ponents (primary causes) and the six fault 
trees required two man-weeks to complete 
(two engineers working five days). 

Each of the three designs possessed re- 
dundancies in the electrical circuits. All the 
designs utilized two out of three coincidences 
to insure against spurious, undesired action, 
and all three designs were of the same order 
of cost. It was not obvious from the design 
as to which one design was the best and a 
fault tree analysis was the only method deemed 
practical, and of sufficient power, to solve 
this problem. 

For the safety fault tree of each design, 
the system failure (top event of the tree) was 
defined to be "failure of the system to respond 
when protective action is necessary". For the 
reliability fault tree the system failure was 
defined as "system responds when protective 
action is not necessary". For the safety study 
the failure thus investigated was the system 
not working when accident conditions existed; 
accident conditions were input to the system, 
but the system did not respond. For the relia- 
bility study, the failure was the system acting 
as if accident conditions existed when they did 
not; normal, nonaccident conditions were input 
to the system, but the system responded as if 
accident conditions were input. Ir. the safety 
failure, the system gave no protection to an 
accident and in the reliability failure, the 
system gave unwanted protection which shut 
the plant down. 

The fault trees, once drawn, were input to 
the PREP and KITT programs to obtain the 
quantitative system safety and reliability 
characteristics. Component failure rate data, 
gathered from existing reports, was also input 
to the programs. The same failure rate data 
was used for all the fault trees in order to 
obtain valid comparisons. The six computer 



runs required a total of four minutes computer 
time, which was inconsequential. The results 
of the analyses are shown in Figures 3 and 4 
at the end of this paper. 

In Figure 3, the probability of a safety 
failure is plotted versus total operating time 
(hours). A point on a curve gives the proba- 
bility of the system failing during a particular 
operating period. If, for example, the time 
period of 1200 hours is chosen (the x value) 
then the probability that the system will fail 
during this 1200 hour operating period is 
obtained from the curves. (The curves in 
Figure 3 are only plotted to 2000 hours since 
this is the proposed maximum continuous 
operation time for the system.) 

The system failure investigated in Figure 
3 is a safety failure, i.e., the failure of the 
system to respond when protective action is 
necessary. Each of the three safety fault trees 
for the three designs investigated this par- 
ticular safety failure (had this as the top, 
undesired event on the fault tree). "System I", 
"System II" and "System III" in Figure 3 
represent the three individual design pro- 
posals. From the figure, System I and II are 
the safest designs with System II being a bit 
safer than System I. If safety was the only 
consideration, then System II would be chosen 
as the best design since it was simpler and 
slightly cheaper than System I. 

Figure 4 illustrates the reliability of each 
of the three designs. The probability of a 
reliability failure (the y-axis) is the proba- 
bility that the system responds when protec- 
tive action is not necessary. Total operating 
time is again depicted on the x-axis. From 
the figure. System I is the most reliable, 
while Systems II and III are highly unreliable 
and cause numerous unwarranted shutdowns. 

Investigating both Figures 3 and 4, that is 
investigating both safety and reliability, Sys- 
tem I is clearly the best design. The safety of 
System I is acceptable with regard to the 
established program standards and in fact the 
difference between the safety of System I and 
the safest design is insignificant. The. relia- 
bility of System I equals its safety t~10" 3 after 
2000 hours) and far exceeds the reliability of 
the other two designs. Because of this analy- 
sis, System I was the design chosen and is 
presently progressing through the finalized 
design stages. 


For this study, the fault tree analysis thus 
allowed the best design to be chosen with 
little effort and cost expenditure. System III 
was the simplest design and had the fewest 
components, while System I, the design chosen 
as the best, was the most complex. The fault 
tree analysis showed that in this case, a small 
amount of added complexity bought large re- 
turns in safety and reliability. As an added 
verification, the present finalized design 
studies of System I substantiates completely 
the results of the performed fault tree analyses. 

PBF Poison Injection System Analysis 

The final study discussed in this paper is 
an investigation of a backup emergency sys- 
tem. The poison injection system is used as 
an emergency reactor shutdown system} it is 
essentially a two out of three type control 
system which is manually initiated. A correct 
input to the system was assumed and no 
response was the system failure examined (i.e., 
this was the top event of the fault tree). 
Resolution was on a basic component level 
and human errors were not considered. The 
fault tree analysis was performed again during 
the conceptual design stage. The fault tree 
consisted of approximately 200 components 
and, as in the previous cases, required ap- 
proximately two man-weeks to complete. 

The analysis is different from the previous 
two in that the injection system is solely a 
backup system and system availability is the 
primary safety concern. ("Availability" here 
is the probability the system will function 
when called upon at any particular time. 
Conversely, the "unavailability" is the proba- 
bility the system will not function when called 
upon.) The fault tree analysis was performed 
to investigate the following: 

1. Possible weaknesses a: the system 
design (the base-line system). These 
would be determined from the fault tree 
itself and from the critical paths ob- 
tained by PREP and K1TT. 

2. The response of system availability with 
regard to various maintenance checking 
intervals used for the components. This 
would be determined from the quantita- 
tive characteristics obtained by PREP 
and K1TT. 
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3. Differences that would result in system 
availability due to particular design 
modifications. The quantitative charac- 
teristics from PREP and KITT would 
again be used here. 

The fault tree analysis was one part of a 
larger safety analysis performed on this sys- 
tem. 

The fault tree, having been drawn for the 
base-line system design was input to the PREP 
and KITT codes to obtain the critical paths 
and quantitative characteristics. The input also 
included the component failure rates and a 
range of checking times for those components 
that would have maintenance (not all compo- 
nents would be checked and this was taken into 
consideration). From the fault tree and criti- 
cal paths, possible weaknesses in the base- 
line system were uncovered. A second and 
third computer run was then performed to 
analyze two possible design modifications; in 
these additional runs, the same component 
failure rates and checking times were used. 
The total computer time required for the 
three runs was five minutes IBM 360/75 time. 

Figure 5 at the end of the paper shows the 
system availability versus component checking 
interval for the base-line system design and 
for the two proposed design modifications. 
The quantity actually plotted on the y-axis is 
the failed probability, or system unavaila- 
bility, which is one minus the availability. The 
"NO REDUNDANCY" curve is the based-line 
system, the "PARTIALLY REDUNDANT” 
curve is for a design modification making 
certain portions of the system redundant, and 
the "COMPLETELY REDUNDANT" curve is 
for a second design modification making the 
system completely redundant. 

From the figure, for example, if the 
maintainable components of the base-line sys- 
tem were checked every 100 hours (10 2 on the 
x-axis) then the system unavailability would 
be 6x10“ 2 (the corresponding y-value on the 
NO REDUNDANCY curve). Thus, for this design 
and checking interval, 6% of the time the sys- 
tem would not function when called upon.* 
Again, for the base-line system, if the main- 
tainable components were checked every 1000 


*Checklng every 100 hours means a periodic mainte- 
nance check Is performed after every 100 hours of 
operation. 


hours, then the system unavailability would 
be 4X10" 1 , i.e., there is a 40% probability that 
the system would not function when it was 
called upon at any particular time, (when 
accident conditions existed). The unavaila- 
bility for the PARTIALLY REDUNDANT de- 
sign or the COMPLETELY REDUNDANT de- 
sign, for a particular component checking 
interval, would be read from the figure in a 
similar manner as above. 

The results from the fault tree analysis 
and the subsequent PREP and KITT runs 
shown in Figure 5 are significant since they 
show not only the response of availability with 
respect to various maintenance schedules for 
a particular design, but also show the impact 
of design modifications on the system availa- 
bility. If a given availability is desired (or 
equivalently if a given failed probability, or 
unavailability, is desired), then either the 
base-line system design with a given com- 
ponent checking interval may be used or a 
modified design with a larger checking interval 
may be used. The design modifications have 
their chief impact on the checking interval, 
allowing the same availability to be attained 
with less maintenance. 

The modifications which made the system 
completely redundant (the COMPLETELY 
REDUNDANT curve in Figure 5) consisted of 
incorporating more piping redundancy into the 
system. These modifications increased the 
independence of the flow circuits as verified 
in Figure 5. The modifications have been 
taken into consideration in the final design of 
the system. 

Finally, Figure 6 shows the failed proba- 
bility (unavailability) for the completely re- 
dundant design when possible errors in com- 
ponent failure rate data are taken into account. 
The "MOST PROBABLE Vn^UE" curve in 
Figure 6 is the same as the COMPLETELY 
REDUNDANT curve in Figure 5, but is plotted 
on a different scale. The MOST PROBABLE 
VALUE curve represents the best value for 
the completely redundant system unavaila- 
bility. The "90% Upper Bound" and "90% 
Lower Bound" are the 90% confidence bounds 
for the system unavailability (i.e., the curves 
reprt sent 90% error bars when possible errors 
in data are taken into account). These upper 
and lower bound curves were computed by 
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assuming a possible error of a factor of 10 in 
each component failure rate (to 90 % con- 
fidence). These error curves serve to show 
the effect errors in component failure rate 
data have on the system computed safety 
characteristics. As observed, the possible 
errors did not significantly affect the system 
results. Even accounting for these possible 
component failure rate errors, the relative 
differences between the curves in Figure 5 
remained the same (i.e., the possible failure 
rate errors merely shift all the curves in 
Figure 5 up or down the y-axis without chang- 
ing their relative separations). The completely 
redundant system thus still showed the same 
gain in availability when possible errors in 
component data were taken into account. 

For this study of a stand-by emergency 
system, the fault tree analysis thus showed, 
in an objective manner, the effect of mainte- 
nance on the system availability and the effect 
of proposed design modifications on the avail- 
ability. As for the previous studies, the fault 
tree effort required minimal time and cost, 
with returns greatly exceeding the investment. 

SUMMARY 

The fault tree methods that were used for 
the described analyses are not peculiar to any 
particular system; the methods can be used 
on any electrical or mechanical system in 
any industry. Furthermore, the methods need 
not only be applied to systems, but can be 
applied to any event or incident, such as an 
accident occurrence, for which the primary 
causes are desired. The same kinds of results 
as were illustrated in this paper will be ob- 
tained for any fault tree, regardless of its 
particular nature. Any fault tree will yield, 
among ccner information, the critical paths, 


i.e., the modes by which the system failure 
or accident will occur, the most critical areas 
likely to cause the failure or accident, detailed 
failure probabilities, and the response of 
safety or reliability to design modifications 
and maintenance schemes. The fault tree itself 
is a significant result since it objectively 
defines the failure or accident and is valuable 
tool for communication. The fault tree analysis 
has most application in the design phases, but 
it can be used on already existing systems. 
Finally, the fault tree can be as detailed as 
desired, however, the fault tree need not be 
elaborately complex in order to yield useful 
and significant information. 
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INTRODUCTION 

The simplistic pictures of life's problems 
confound efforts to deal with the solutions, in 
their intricate complexities. Some of us may 
be attracted to the slogan solutions - "acci- 
dents are caused by the nut behind the wheel" - 
but study soon shows that human events, such 
as an injury while using a consumer product, 
cannot be said to have one cause, one fault, 
one solution. It obscures understanding and 
yields limited improvement to look for and try 
to act on Jthe cause of an accident, i. . 
events have thousands of "causes" or anteced- 
ent events, many of which might be modified to 
increase safety. 

This is "coal to New, ' 1 ' system * 

safety engineers in their own specialties - par- 
ticularly space safety or military systems 
safety. But we are just learning to apply these 
techniques to consumer product safety. How 
many aerospace systems safety engineers 
apply these techniques in their own homes? 
Instead of waling junior right away for leaving 
books on the stairs that pa tripped over, how 
many of us analyse the many changes that 
would have reduced the chances of this event - 
improved lighting, wider stairs, tables near 
the bottom and top of the stairs for holding 
things we wish to later take up or down, less 
to drink before dinner, less shouting at the 
family and stomping on the stairs to show 
who's boss, etc. - before waling junior? 

Clearly, the systems effectiveness and 
systems safety techniques of analyses of re- 
liability, maintainability, operability, support- 
ability (logistics), compatibility, design sim- 
plicity, human factors, dependability, 
availability, hazards, failures, fault trees, 
environment effects, systems safety plans, 
safety documentation and communication, 
safety audit procedures, etc., could be uti- 
lize . to increase the safety of consumer 
products and their use. 

For space and m'litary products, the 
government has the responsibility and the 
capability through contract requirements and 
payments to minimize the costs of product 
purchase and product use, including the human 
and dollar costs of safety failures. For con- 
sumer products, the picture is less clear as to 
who is responsible for safety, and the capabil- 
ities of the individual product purchaser, the 


consumer, are far less than the government to 
specify or even to find out the level of safety 
or other use costs of the products he buys. The 
cost of safety features is localized with the 
price of the product; the savings of safety are 
very distributed. But consumers, acting as 
voters, are expressing a group interest through 
legislation for more government concern with 
increasing the safety of consumer products. 

THE SAFETY INTERFACES 

Figure 1 diagrams some 01 mo re im- 

portant safety interfaces. Traditionally, the 
consumer exchanges money w uu uic manu- 
facturer for products, and has the responsi- 
bility (caveat emptor - buyer beware) to r elect 
the products that serve his needs, using in- 
juries as experience in judging safety. As the 
market has proliferated so that experience with 
particular products is more diffuse, and as 
products have become more complex, so that 
their hazards are largely hidden, governments, 
particularly through judicial powers and tort 
law development, have held the manufacturer 
increasingly responsible for his product 
(caveat vendor - seller beware). As Morris 
Kaplan put it, (1) 

"The consumer has a lot of catching up to 
do. Much has happened between the hoe and 
the mechanical cultivator, between home- 
spun and polyester knits, between illus- 
trated books and color television. By the 
time he learns about a gas or electric stove, 
there's a radar oven. After he learns the 
difference between real and artificial silk, 
he is confronted with acetate, nylon, poly- 
ester, acrylics." 

The manufacturer gives an implied war- 
ranty for his product, and may give an express 
warranty as well, but it is noted that his re- 
sponsibility for his product is far from com- 
plete. His express warranty may cover only a 
few percent of the design use life of the prod- 
uct, and products liability insurance and case 
settlement payments of 0.05% of sales are not 
unusual. (2) 

Looking again at Figure 1, it is the govern- 
ment far more than the individual consumer 
that has utilized injury information. Through 
legislation and regulation (or executive law), 
the government requires the manufacturer to 
consider certain aspects of consumer product 
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safety (cave legem - beware of the law, an ex- 
pression I suggest). However, the government 
has had only a moderate impact on consumer 
product safety in any given decade - although 
the combined effects are very important, and 
total hazards perhaps particularly in food and 
drugs might be far worse without any govern- 
ment action. Hence, the practice of the market- 
place continues to be caveat emptor - buyer 
beware - however much we talk about products 
liability, class action, self-regulation, and 
government regulation trends. 

It is the consumer who pays - is handed the 
responsibility - for most (I suggest about 
90%) (3) of the product performance failures, 
and most (I suggest 50%) of the costs of in- 
juries involving the products he buys. (My 
rough working estimate (3) is that the manu- 
facturer pays through products liability settle- 
ments perhaps 5% of the injury costs of con- 
sumer products, i.e., that only 5% of the 
injury costs show up directly in product prices. 
Governments, through support of the medical 
establishment, pay some 30% of product injury 
costs, I estimate - which show up later in 
taxes. And uninjured consumers, through in- 
surance distribution, pay perhaps 15%of prod- 
uct injury costs.) 

The importance of the testing laboratories 
and standards bodies in consumer product 
safety is now growing. 

SLOW ACCIDENTS 

In addition to our dollar losses for unwise 
choices in the marketplace, we have our human 
losses of deaths and injuries while using prod- 
ucts. The National Safety Council Accide nt 
Facts reports some 115,000 accident deaths 
and 50 million injuries per year, of the 2 
million who die each year in the United States. 
I call these the "fast accidents," and am look- 
ing particularly at the deaths and injuries in- 
volving delayed stress effects of our life 
styles, the "slow accidents" (3) of carcinogens 
in our products and environments, heavy 
metals in our streams, deaths and hospitali- 
zation (injury) for some people with "dis- 
eases" including malnutrition whose cures or 
prevention are known but not applied, and all 
other effects of stress that lead to "premature 
death" and hospitalization. Ralph Nader speaks 
of the "silent violence" of our society. By a 


curve fitting procedure. Figure 2, of the cumu- 
lative percent of those who died in 1967 (4) 
versus the age at which they died, the pre- 
liminary suggestion is made that the observed 
curve could be accounted for by a "biological 
death" probability distribution with mean age 
of death of 75 and standard deviation of 12 
years, with a 2 percent "tail" of additional 
deaths prior to the age of 1 year representing 
the early-lethal effects, together making up 70 
percent of the deaths, and a difference curve 
"stress death," which is within 4.5 percent of 
being a straight line — with less deaths before 
age 50 and more after age 50, curve fitting at 
30 percent of the deaths — or 600,000 people 
per year in the United States. 

On the basis of this very preliminary 
hypothesis, I suggest that in addition to some 

100.000 fast accident deaths there are some 

500.000 slow accident deaths, and with an esti- 
mated ratio of perhaps 500 injuries to 1 death, 
there are 250 million slow accident injuries 
per year — to the extent of getting professional 
medical treatment or being disrupted from 
normal activities for at least a full day. Most 
of us are feeling some discomfort with our 
technological life style — although I hasten to 
emphasize that it is this same technology that 
lets many more of us live out a biological life 
span than in years past. The median age 
of death in Massachusetts in 1850 was 40, 
and even in 1900 for non- whites it was 
33.(4) 

The challenge in consumer product safety, 
then, is not only to reduce at least the involun- 
tary imminent hazard aspects of product use, 
but also to reduce these continuing hazards of 
pollution, mutation, exhaustion of raw ma- 
terials, and other stresses of modern life. By 
increasing production of food, products, and 
services over the millennia man has indeed 
extended the median life span. Now, in this 
generation, it becomes apparent that much 
further increased production and populations 
will decrease the median life span unless we 
reduce the stress hazards. Living with man 
rather than living with nature has become the 
challenge of survival. 

INFORMATION VERSUS REGULATION 

As Figure 1 indicates, there are several 
ways in which product injury information could 
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be more effectively utilized in the market- 
place. The government staff could decide what 
Is needed to increase safety and by legislation 
and regulatioti require that these changes be 
made. Many of us are aware of the inade- 
quacies (6) of bureaucratic omniscience, and 
feel that regulation should deal with only the 
unreasonably hazardous products. 

A major alternative to encourage the use 
of safe and well-performing products, i.e., 
products with reduced imminent or delayed 
hazards, is for the government and the manu- 
facturer to increase the flow of product in- 
formation to the consumer, to increase his 
ability to choose safety. We often get the wrong 
product or the wrong service — not the one we 
would have chosen even with our present edu- 
cation if we had been given adequate informa- 
tion about products and services in the market- 
place. President Nixon, in his Consumer 
Message to Congress (7) of February 24, 1971, 
after noting the major success of our economy, 
said, 

"In today's marketplace, however, the 
consumer often finds himself confronted 
with what seems an impenetrable complex- 
ity in many of our consumer goods, in the 
advertising claims that surround them, the 
merchandising methods that purvey them 
and the means available to conceal their 
quality. The result is a degree of con- 
fusion that often confounds the unwary, and 
too easily can be made to favor the un- 
scrupulous. I believe new safeguards are 
needed, both to protect the consumer and 
to reward the responsible businessman." 
The President then presented legislation to 
implement the "buyer's bill of rights, "includ- 
ing the right to information to make intelligent 
choices among products and services in the 
marketplace, and concluded; 

"In submitting the foregoing proposals, 

I want to emphasize that the purpose of this 
program is not to provide the consumer with 
something to which he is not presently en- 
titled; it is rather to assure that he receives 
what he is, in every way, fully entitled to. 
The continuing success of our free enter- 
prise system depends in large measure 
upon the mutual trust and goodwill of those 
who consume and those who produce or 
provide. 


"Today in America, there is a general 
sense of trust and goodwill toward the world 
of business. Those who violate that trust 
and abuse that goodwill do damage to the 
free enterprise system. Thus, it is not only 
to protect consumers, but also to protect 
that system and the honest men who have 
created and who maintain it that I urge the 
prompt passage of this legislation pro- 
gram." 

What then is the buyer's right to informa- 
tion about products to allow intelligent choices 
in the marketplace? I shall present a pre- 
liminary and personal view here, with the em- 
phasis that it would be a great service of the 
engineering community and of this conference 
to refine this list and begin to implement its use. 

My view is that, just as one manufacturer 
would require the following from another manu- 
facturer supplying a product, so the consumer 
has a right to know 

- the name and address of the manufacturer. 

If the manufacturer is outside of the 
United States, the name and address of 
the importer should also be given 

- the model number, and perhaps for prod- 

ucts costing over $100 a serial number 
of the product 

- the date of manufacture 

- the design performance under design use 

conditions 

- the design maintenance under design use 

conditions, and costs 

- the design repairs; characteristics, 

costs, and frequencies under design 
use conditions 

- the design use life under design use con- 

ditions 

- the standards and test methods followed 

in design and manufacture 

- the quality control utilized. Test methods, 

frequency of use, results for the de- 
sign product, and accepted variations 
for all tested products sold. 

- the kinds of accidents and their frequen- 

cies and severities for products of this 
category, and what has been done in 
this particular product to reduce these 
accidents 

- the residual risks of accident types — 

with predicted frequencies, severities, 
and costs — for accidents which have 
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not been avoided by the product design. 
These residual risks must remain of 
user concern. 

- warning and hazard instructions — how to 

recognize and avoid hazards, and what 
to do if hazards develop 

- warranty, if offered, including time and 

procedures, and the percent of design 
product use life under design use con- 
ditions which is covered by the warranty 

- how to get in touch with the manufacturer 

for complaints, repair advice, etc. 
Ideally a reverse-charges telephone 
number such as is being used by one 
large manufacturer 

- user experience concerning performance, 

repair, problems, etc. as reported to 
the manufacturer or to the government, 
or as solicited by the manufacturer 
from a statistically balanced sample of 
users. Because of possible conflict of 
interest problems, this might better be 
presented as a summary of government 
complaint and use data rather than as 
manufacturer data. 

The responsible manufacturer, in his de- 
sign of a consumer product, already has most 
of this information, and could now put it in a 
Buyer's Handbook, available on request if not 
supplied with each product sold. But there is a 
lot of work to do by industry, by government, 
by standards bodies, and by all engineers to 
indeed make this information meaningful to the 
consumer, and used to reduce waste and haz- 
ard in the marketplace. 

Dr. Lewis Branscomb, Director of the Na- 
tional Bureau of Standards, presented the 
buyer's right to information in the following 
forms (8) 

"Information 

The buyer needs the answer to three 

questions about a product: 

1. How well will it do the job I want it 
to do, and for how long? 

2. How much does it cost me, now and 
later? 

3. Is it safe? Will it annoy my neigh- 
bors?" 

The extent to which industry and govern- 
ment supply such information to consumers, 
so that short-term and long-term safety be- 


come factors in the marketplace, will in my 
view determine the extent that mandatory 
regulation of safety is considered unnecessary. 
I suggest the phrase "Cave Consumptorem 
Prudentem - beware the wise consumer". 
Either the consumer will be given the infor- 
mation that will let his wise choice in the 
market correct the unreasonable dangers and 
waste of incorrect choice, or in his growing 
political wisdom he will vote to remove these 
dangers and wastes by regulation. The respon- 
sible manufacturer has nothing to fear, and 
indeed in my view should speed the day of wise 
choice in the marketplace by preparing a 
Buyer's Handbook on each model of product 
sold, with all of the informatim listed above. 

THE MANUFACTURER 

In an altruistic world, the manufacturer 
would practice every known procedure to in- 
sure the short term and long term safety of 
the users of his product. But without altruistic 
stockholders, his need is to show a profit from 
his management. He may conclude that since 
he is only directly paying a small part of the 
cost of injuries and other failures involving his 
products, he may do less for safety, in keeping 
with his own financial realities (9). This con- 
dition may prevail until the costs of product 
failures are at least Identified for the infor- 
mation of future buyers if net indeed charged 
back to the manufacturers. 

The National Commission on Product Safety 
examined the safety practices of a small num- 
ber of manufacturers of consumer products by 
means of a Manufacturers Questionnaire. Re- 
sponses were voluntary, so perhaps better than 
average performance is practiced by those 
agreeing to respond. An index representing the 
percentage of yes responses concerning the 
performance of recognized systems safety 
practices was utilized to examine a number of 
industries (2). Figure 3 illustrates the spread 
of total responses, from the 20% for the foot- 
wear industry - whose questionnaires showed 
almost no sense of involvement with the prob- 
lem that the major source of injury in the home 
is from falling - to the 88% for the power tool 
Industry, who are well aware of tool hazards 
and attempting to reduce them. Reference 2 
should be examined for the kinds of safety 
practices of certain consumer product in- 
dustries. 
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Looking again at Figure 1, the manufacturer 
could investigate product injury problems di- 
rectly, and use this information to improve his 
product. The National Commission on Product 
Safety found very few manufacturers who had 
physicians or related personnel visiting hos- 
pitals, medical researchers, and injured in- 
dividuals to learn details of product injury 
events. Although manufacturer injury investi- 
gation personnel, with medical as well as engi- 
neering experience, would have difficulty 
finding appropriate cases to investigate work- 
ing alone, the time is at hand for at least all 
large manufacturers to designate staff injury 
investigators or coordinators to cooperate with 
the Government in these studies. The patient 
privacy and investigator conflict of interest 
issues are important, so that the Government 
may do much of the initial investigation alone. 
But the manufacturer in my view should seek 
his own professional understanding of the public 
health product injury problem, and not wait 
for the Government to spell out for him the 
mandated engineering changes. 

THE TESTER 

To help assure the safety of a manufactured 
product one can test the product. "Hazardous 
or unsafe conditions for individuals using, 
maintaining, or depending upon the product" are 
considered "Critical defects" for products sup- 
plied to the Government, and "the supplier may 
be required to inspect every unit of the lot or 
batch for critical defects." (10) 

The individual consumer can make no such 
100% inspection requirement, but nonetheless 
the trend Jn consumer product testing is toward 
100% production line testing. The cost of ma- 
chit. testing is going down in comparison to 
the cost of off-line "handcraft era" testing of 
the older quality control methods, and the sav- 
ings are going up in detecting a production 
failure right after it occurs, to minimize re- 
work to correct the failure, rather than de- 
tecting the failure after the product is com- 
pleted. 

Further assurance of product design 
quality can be provided by an independent test- 
ing laboratory. It is empahsized that the in- 
dependent laboratory should oversee the pro- 
duction testing of the manufacturer, and vouch 
for these test methods as well as for the 


quality of the product design. Production fail- 
ures (i.e., products made not according to 
design) as well as design inadequacies can lead 
to hazardous products. A National Conference 
on Laboratory Evaluation and Accreditation is 
being developed under the coordination of the 
National Bureau of Standards to establish pro- 
cedures to assure, possibly both nationally and 
internationally, the capabilities of independent 
testing laboratories in performing defined 
tests. 

But there are many aspects of consumer 
product use for which there are no defined 
tests. The National Commission on Product 
Safety found that for many consumer products 
there are no published standards (which 
typically include test methods). The Adminis- 
tration has proposed, with bipartisan support, 
a Consumer Product Test Methods Act, H.R. 
6891," a bill to provide incentives for increas- 
ing the amount of information available to con- 
sumers respecting consumer products." The 
Secretary of Commerce, in consultation with 
the Office of Consumer Affairs, would promote 
the development, approval, and use of methods 
for testing for consumer product characteris- 
tics whose measurement would be in the in- 
terest of consumers. Suppliers could then elect 
to advertise the results of these authorized 
tests, and their use of accredited testers. Con- 
sumers would receive more useful quantita- 
tive information to aid their choices in the 
marketplace. The supplier reporting on a test 
in advertising or elsewhere would be required 
to fairly disclose the complete results of such 
testing. This legislation could provide a meas- 
urement language for the consumer interest, 
and be an important element in providing the 
buyer's right to the information that would 
allow intelligent choice in the marketplace. 

THE RETAILER 

The retailer today takes a limited responsi- 
bility for the safety of the products he sells. 
Only a few of the large retail chains (for ex- 
ample, Sears Roebuck, J. C. Penney's, and 
Macy's) have their own testing laboratories, 
and these are used more for buying decisions 
than for continuous quality control checks. One 
may note that the second largest United States 
retailer, the Armed Forces Post Exchange 
systems, are not prominent for the testing of 
the products they sell. 
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At best, the retailer passes on the manu- 
facture: 's information to the consumer, per- 
haps confirming some of it. More typically, 
the retailer is lost in the information retrieval 
problem, and gives the consumer only partial 
answers if not wrong ones. 

Some retailers, particularly in their repair 
operations, are utilizing microfilm or micro- 
fiche data systems to rapidly select from large 
amounts of information the particular model 
and part of interest. I foresee a further growth 
of manufacturer information retrieval with the 
development of computer information and data 
systems, already beginning to be used for in- 
ventory and customer charging purposes. It is 
a small step for the salesman who can use a 
computer to see if he has a given model and 
color in stock for him also to search data 
supplied by the manufacturer to see the char- 
acteristics of that model. At that point, the 
salesman becomes the tutor of the consumer 
in the searching for data to allow intelligent 
choice. Advertising would emphasize informa- 
tion transfer. 

THE CONSUMER 

Many consumers, of course, will still elect 
an uninvolved contact with the marketplace, 
buying on whim, buying on short-term emo- 
tional interests which have no place for risk 
calculations. We cannot make the world "safe", 
but we can try to make it safer, and education 
can show the benefits of this effort. With half 
of today’s highschool graduates taking some 
college work, and with the efforts of Mrs. 
Virginia Knauer and the Office of Consumer 
Affairs to increase consumer education, the 
day of the wise consumer, consumptorem 
prudentem, may be at hand. We speed the day 
by asking for information to allow intelligent 
choice. 

What is the waste today of a marketpalce in 
which the consumer does not have full informa- 
tion to allow intelligent choice? Of the $700 
billion spent by consumers for goods and serv- 
ices, how much is spent unwisely, not satisfy- 
ing the need that would have been satisfied if 
we had the information for intelligent choice? 
How many frauds do we suffer, how many wrong 
repairs are made, how many wrong services 
are performed, how often do we buy the wrong 
product? If we include only the difference in 


cost of the satisfaction of what we bought and 
what we would have bought if we had had in- 
formation for intelligent choice, are we 8 5 per- 
cent right in our purchases? Perhaps indeed 
we are not that successful. Each of us should 
reexamine his goals and see what information 
he lacks in making choices in the marketplace 
to attain them. That 15% that we maybe wrong 
(unnecessarily unsatisfied) is $100 billion, so 
the buyer’s right to information has a golden 
benefit indeed, and significant costs to insure 
this right are justified. 

THE REPAIRER 

Complex products may become unsafe in 
unsuspected ways with attempts at repair. The 
necessary trend is that the repairer become 
increasingly professional, following standards 
and certifying successful testing of his work. 
The manufacturer, concerned about his liabil- 
ity, will want to know the repairer’s effect on 
the product and may best protect his name by 
providing repair services. 

THE DISPOSER 

Producv must increasingly be made with 
disposal a? J recycling in mind. This must be 
planned .* ; cne design; the manufacturer may 
well be the one who should have the responsi- 
bility for efficient disposal and reuse. The 
practice should be encouraged that when a new 
product is received, the old one is taken away. 

TRADE AND PROFESSIONAL ORGANIZA- 
TIONS 

These bodies have represented the narrowly 
defined interests of their constituents, but are 
increasingly recognizing broader social re- 
sponsibilities as well. Let them speak out on 
product safety, organizing the special experi- 
ences of their members. 

NATIONAL AND INTERNATIONAL STAND- 
ARDS BODIES 

Standards and test methods are the neces- 
sary language of informed choice. Even with 
some 19,000 U.S. voluntary engineering stand- 
ards, (12) published by some 360 U.S. technical 
societies, professional organizations, and 
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trade associations, the consumer standards 
needs have just begun to be emphasized. Grow- 
ing world trade is aided by international 
standards (13) and the "multi-partite" agree- 
ments to accept test results across national 
borders. 

GOVERN /• JNTS 

State and local governments, with their 
building codes, electrical codes, and other 
regulations have an increasing influence on 
local commerce. The issue of preemption of 
local mandatory standards by Federal manda- 
tory standards, even when the Federal stand- 
ard is weaker, is not finally settled by legis- 
latures or courts. Communication is important 
to minimize differences; the National Bureau 
of Standards secretariats of the National Con- 
ference of Weights and Measures and the 
National Conference of States on Building Codes 
and Standards have been quite successful in 
helping to draft the Model State Packaging and 
Labeling Regulation, The Model State Lumber 
Regulation, and in preliminary efforts to con- 
solidate building codes and redirect them to- 
ward performance criteria to allow use of new 
methods for Project Breakthrough. (14) 

Communication cannot erase regional needs 
for differences of regulation to deal with 
regional problems of very low temperature, 
earthquake, hurricanes, etc. The courts, con- 
sidering preemption, may be expected to re- 
spect these needs. The challenge is to write 
the Federal regulation to include these special 
circumstances. 

But how far a state can get ahead of the 
nation in general safety requirements remains 
an issue of our time. Minnesota's efforts to 
place the emission standards below the Federal 
standards for nuclear power plants have thus 
far been denied in the courts.* Consumers 
may indeed develop local values and wish to 
defend them by local standards, if these are 
not recognized by the Federal Regulation. 

The Federal Trade Commission is increas- 
ing its communication with local consumer 
protection groups, establishing in many areas 
Consumer Protection Coordinating Commit- 


•Northem States Power Co. v. Minnesota, U.S. 
District Court, Minnesota, December 22, 1970, See 
39 Law Week 2367, 2368, January 12, 1971, 


tees (7) of local district attorneys, attorneys 
general, consumer protection offices. Federal 
inspectors, weights and measures people, law 
enforcement people, etc., to insure that local 
needs are recognized in Washington, and 
successful methods are shared. 


COMMUNICATION 

The complexity of the "safety system" that 
affects the safety of consumer products is such 
that an interactive computer Product Informa- 
tion Service is essential to let the many par- 
ticipants in the safety system keep up with the 
many changes and have access to the inclusive 
representations of problems and data. An 
interactive computer system lets the user re- 
ceive an answer to his question, and not have 
to sort this answer from page after page of 
printed text selected to answer many questions. 
A prototype system was the Consumer Product 
Safety Index (IS), although this never reached 
the interactive stage. 

The service should receive from partici- 
pants (each of whom would sign his name, 
organization, and date of input) information on 
injury statistics 

case histories (without privacy aspects) 
economic data (products in use) 
demographic data (user characteristics) 
complaints and analyses 
products 

technical information (publications) 
possibilities for product improvements 
(patents, etc.) 
standards 

benefit-cost analyses of mandatory stand- 
ards 

legislation 
court actions 

professional people involved (addresses 
and phone numbers) 
manufacturers 
testing laboratories 

and other information needed to make and 
choose the safer and more useful products that 
the informed consumer will wish to buy. The 
system would be intimately cross indexed and 
subject indexed, so that ideas would lead to 
related ideas, and each of us would not have to 
rediscover elsewhere what others of us have 
found and entered into the system. 
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Now we have, as Thoreau said, the matter 
of "putting foundations" under our "castles in 
the air." What does it cost you not to know 
these things? 

CONCLUSION 

The world is significantly less safe because 
most of us are not aware of our hazards. With 
computer information techniques, the con- 
venience of identifying these hazards will allow 
us to use this knowledge to reduce our hazards. 
How thoroughly we act with knowledge may yet 
determine the survival of mankind. As H. G. 
Welle put it (Outline of History, 1920), "Human 
history becomes more and more a race be- 
tween education and catastrophy." 
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Rail rapid transit, as we know it today, 
came into being shortly after the turn of the 
century. Although inter-city railroad passen- 
ger service was well established and thriving, 
the opening of New York City's first subway in 
1904 was the beginning of rail rapid transit in 
this country. Since that time, development of 
the rail rapid transit industry has been spora- 
dic. Until very recently most activity took 
place prior to World War II. 

The term rail rapid transit as used in this 
paper refers to systems, excluding streetcars, 
that utilize single or multiple-unit trains on a 
two- rail track. As used here rail rapid transit 
includes subway, surface, and eleveated trains 
operated by public or private transit authori- 
ties as well as commuter- trains operated by 
railway companies. 

The current urban renewal activity and 
emphasis on community planning and improve- 
ment has brought about a change in urban 
transportation philosophy. Once gain, the 
modernization and expansion of rail rapid 
transit systems and the construction of entire 
new systems is underway. Large scale im- 
provements and expansions are being planned 
or made to the systems in Boston, New York, 
Philadelphia, Chicago, and Cleveland. New 
commuter cars are being purchase for use in 
the New York area on railroads and in the sub- 
way system, and on the railroads in the Phila- 
delphia area, and in Chicago. Complete new 
automated rail rapid transit systems are being 
built in San Francisco and here in the Wash- 
ington metropolitan area. A successful auto 
mated system has been running for more than 
a year between Lindenwold, New Jersey and 
center city Philadelphia. Plans for rapid 
transit are in various stages of development 
in Atlanta, Baltimore, Los Angeles, and Seattle, 
while Pittsburgh's plans embrace an inter- 
modal concept which includes the so called 
"Skybus." 

The availability of Federal funds has been 
a moving factor in this rebirth. The Urban 
Mass Transportation Act of 1964 offered the 
first continuing program for urban mass trans- 
portation. The Urban Mass Transportation Act 
of 1970 continues and expands the role of the 
Federal Government by authorizing! 3.1 billion 
dollars for mass transportation during the next 
five years. The 1970 Act also expresses the 
Intention of the Congress to provide 10 billion 


dollars in assistance over the next 12 years. 
In addition to Federal grants, a marked in- 
crease in the financial participation of State 
and local governments has occurred, with the 
prospects of additional funds in the future. 

The Urban Mass Transportation Act of 1970 
includes as part of its purpose the word "safe." 
The meaning of the word safe is r.ot spelled out 
in the Act; however, we at the National Trans- 
portation Safety Board have definite feelings 
about the future meaning of the word and will 
make some recommendations to UMTA regard- 
ing its implementation. These recommenda- 
tions are the result of several month3' observa- 
tions made by Safety Board personnel of transit 
operations in New York, Philadelphia, and 
Chicago. These observations were supple- 
mented by consultation ith the personnel of 
the Metropolitan Transportation Authority, the 
Port Authority, and Penn Central Transporta- 
tion Company in New York; the Southeastern 
Pennsylvania Transportation Authority, the 
Port Authority Transit Company, th . Reading 
Company, and the Penn Central Transportation 
Company in Philadelphia. 

Let me clarify one thing at this point. The 
rail rapid transit industry historically has been 
considered a safe method of urban transporta- 
tion. Recently among the older systems this 
image has been tarnished by highly publicized 
incidents of system failures. In spite of these 
system failures, and in spite of the absence of 
statistical data to confirm it, passengers on 
board a rapid transit train are exposed to a 
much lower risk than on any form of highway 
travel. 

There is no single private or governmental 
agency to which all of the rail rapid transit 
Industry reports comprehensive accident data 
on a regular basis. Railroads and certain of the 
Interstate transit authorities are required to 
report accidents to the Federal Railroad Ad- 
ministration; however, the methods are ori- 
ented to conventional railroad operations with 
no separation for commuter operations. 

Within the transit Industry, the American 
Transit Association compiles operating ac- 
cident statistics for transit systems but in- 
cludes only motor coach, trolley ccach, and 
street err operations. Recently, there has been 
an effort by the transit members of the Na- 
tional Safety Council to establish a uniform 
syst m of compiling and exchanging accident 
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information, but there has not been uniform 
acceptance of these procedures. The net result 
is a complete lack of data that can be used as 
a comparison of safety within the industry or 
between transportation modes. When one does 
not know the characteristics of the accidents 
and where they are happening, and both acci- 
dent and use history data are not available, 
operations analysis to identify problems areas 
becomes difficult. 

Rail rapid transit systems and railroads 
are good examples of the highly wasteful, but 
normally used approach which attacks prob- 
lems as they are revealed by accidents. With- 
in the present state-of-the-art it is most in- 
efficient to wait for the accidents to occur and 
then to correct the problems by making 
changes. Obviously what should be done, of 
course, is to find the hazards in advance. 
Through systematic analysis of the system one 
rm y predict the likelihood tnat those hazards 
will be activated by exposure of the system to 
a system failure, a human error, conditions 
external to the system, or combinations of 
these; determine the alternatives to the as- 
sumption of this risk; and recommend the 
corrections before the system is put into 
operation. 

The problem becomes one of indoctrinating 
this concept into the rail rapid transit industry. 
Historically, the rail rapid transit industry has 
depended on a good past accident record rather 
than focusing on means f jr identifying hazards 
and evaluating risks. Tnere apnears to be an 
attitude in the railroad and transit community 
that no professional engineer would design or 
produce an unsafe product, and I agree that no 
professional would knowingly do this. However, 
there are concrete examples in the transit field 
today where these safety-conscious profes- 
sionals have produced components that re- 
sulted in a system that contained hazards which 
could lead to disaster if they had not been 
found. 

These examples of hazards are physical 
evidence that the application oi a disciplined, 
systematic review of a system is necessary if 
optimum safety is to be accomplished. A re- 
view of some of these conditions will illus- 
trate the applicability of system safety to the 
rail u Hd transit industry. 

Station accidents represent the highest ac- 
cident ratio in the industry and include falls on 


stairs, escalators, platforms and passageways, 
injuries from assault or being pushed by other 
persons, and injuries resulting from smoke and 
other miscellaneous causes. 

The facilities involved in most station ac- 
cidents are also those that receive substantial 
architectural consideration during construc- 
tion or modernization programs. Too often the 
aesthetic viewpoint dominates the practical 
considerations. Open stairwells and barrier- 
free escalator handholds challenge the acro- 
batic capabilities of children. Street entrances 
are often sloping ramps that resemble ski 
slopes during snowy winter weather. Subdued 
lighting in entrances greets patrons wearing 
sun glasses. Wall and ceiling surfaces are 
covered with material which quickly lose their 
reflectivity upon exposure to rail and wheel 
dust and the graffiti experts. 

It is significant to note that the highest in- 
cidence of fatality in rail rapid transit does not 
occur to the r assenger on board the train but 
to persons on the track, including trespassers 
and those who have jumped from station plat- 
forms or were inadvertently pushed. 

The train-person collision, where it in- 
volves patrons, occurs in the proximity of sta- 
tion platforms and is most frequent at car- 
floor height platforms. Station accidents 
involving a fall to the track are also experi- 
enced at these locations. In spite of this ex- 
perience, the trend in the industry is towards 
open, car-floor height platforms to enhance 
faster discharge and receipt of passengers. 
In our society there are very few places where 
the public is allowed to congregate immediately 
adjacent to an unprotected opening four feet 
deep. This is the case where commuters 
jostle each other on high-level platforms while 
waiting for rapid transit trains. To increase 
the hazard, trains pass through the opening at 
speeds up to 75 miles per hour. 

In most older systems, if a t patron were 
pushed, fell, or jumped to the track the pos- 
sibility of being hit by a train was minimized, 
to some extent, by the use of express tracks 
which were separated horizontally from car- 
floor height platforms. The newer systems are 
not ut'Uzing this concept and nonstop trains 
whiz by crowded platforms. Platforms now are 
located also in the median strips of crowded 
expressways where noipe and other distrac- 
tions are prevalent. Warning systems are not 
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provided and therefore the likelihood of a train 
approaching without detection has increased 
markedly. Architectural considerations in new 
underground stations have dictated that the 
track zone be sparsely lighted so that un- 
aesthetic views of the track are not high- 
lighted. Therefore, a person who has fallen on 
the track is obscured by shadows and is less 
likely to be seen. 

Further, train-person collisions are ex- 
perienced at surface stations constructed with 
low, rail-height platforms. The majority of 
these accidents involve patrons taking short 
cuts across tracks which either have no inter- 
track barriers or barriers inadequate to dis- 
courage this practice. Unfortunately, manyat- 
grade stations have highway grade crossings 
at one end or the other of the station platform 
that make the erection of permanent effective 
intertrack barriers extremely difficult. 

Grade crossings are not compatible with 
rail rapid transit operations. The consequences 
of a collision of a rail rapid transit train with 
a truck load of hazardous materials could be a 
major disaster. In December, 1966 at Everett, 
Massachusetts a rail commuter car struck a 
stalled tank truck of fuel oil and the resulting 
fire killed 13 persons because they could not 
escape from the car. There were no emergency 
exits and the inward- swinging door was jammed 
closed by the press of the people trying to 
escape the fire. It takes very little imagination 
to see what could happen to a commuter train 
with several hundred persons on it if it struck 
and ruptured a tank truck of gasoline or 
liquefied petroleum gas. 

Grade crossing protection or elimination 
programs have been unorganized, dependent in 
many instances, not on the hazards involved, 
but on whether the road involved is classified 
as a ’’Federal Aid” route. Motor vehicle laws 
involving grade crossings are ignored by the 
general public and not enforced by local author- 
ities. Zoning laws and other local ordinances 
are explicit in their requirement to insure 
compliance with environmental and other social 
values. These regulations also generally pro- 
hibit sight obstructions at street intersections. 
It is rare, however, to find any regulations af- 
fecting the type of construction or landscaping 
in the vicinity of a highway-rail grade crossing. 

Although grade crossing accidents are 
recognized as a hazard within the rail rapid 


transit industry, in some instances the design 
of the car equipment is not consistent with this 
recognition. Transit cars originally designed 
for operation in a closed system are operated 
over highway grade crossings. The pilot pro- 
tection, deemed necessary in the railroad in- 
dustry to minimize the chance of derailment 
upon hitting an obstruction, is not provided 
consistently on rail rapid transit cars. In 
some instances, passengers are seated at the 
front of the car immediately adjacent to a 
large windshield. In the event of a grade cross- 
ing accident, the passengers will have an ex- 
cellent view of the event if they survive to 
relate it. 

Injuries that have occurred in the on-board 
category have involved or resulted *rom board- 
ing and alighting; falls on board, including falls 
between cars; vandalism; fire or smoke; and to 
a lesser extent, derailments or collisions. 
Original design has been a factor in all of these 
incidents. 

Boarding and alighting accidents have in- 
volved the car doors, the space between the 
platform and the car, open spaces between 
cars, the car steps and the platform surface. 
Asa general rule, car-floor height platforms 
were observed more in inner-city type opera- 
tions, with low rail-height platforms being 
provided at locations handling suburban serv- 
ice. The experience again indicates a lower 
accident frequency at low platforms than at 
the car-floor height platforms. 

New car equipment has been observed with 
no protection provided for the space between 
cars. This has resulted in falls to the track 
while boarding or alighting as well as on-board 
falls. Understandably, the results have gen- 
erally been severe. Protection has been pro- 
vided with intercar chains as well as re- 
tractable gates, both of which appear to be 
only a partial solution added as an afterthought. 

On several systems car-floor height plat- 
forms are inter-mixed with those of low rail- 
height design. To accomodate boarding-and 
discharge this has necessitated car vestibules 
with trap doors in the down-position for car- 
floor height platforms and in the up position 
for the low platforms. The trap door has been 
the source of numerous injuries and its use 
should be discouraged, 

I think we can assume that in rush hours 
there will be a large number of standees; 
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however, minimizing the number of standees 
will reduce the number of on-board falls. The 
provision of hand holds designed for passenger 
comfort and convenience should be recon- 
sidered. Improved car suspension systems and 
smoother accelerating and braking character- 
istics would be helpful also. 

Some of the newer commuter cars have the 
' flop-over" seats so that when the train re- 
verses direction, the seat backs are "flopped 
over" to allow the passenger to ride facing 
forward. There have been instances where 
emergency stops have been made resulting in 
the standees grabbing the seat backs to pre- 
vent themselves from falling. This "flops 
over" the seat backs with passengers sitting 
in them. An analysis of this feature would have 
revealed the obvious hazard in this type seat 
arrangement. 

Obviously, there are many operating fac- 
tors which affected the design of rail rapid 
transit cars. Safety should be given high 
priority as a factor. 

Window designs vary from the large picture 
window to the porthole type. Almost all transit 
passengers face the hazard of being injured by 
thrown objects, and design of windows can 
lessen the severity of injuries from thrown ob- 
jects. Various types of glass panes are used 
and now tough plastic material which will with- 
stand the impact of a thrown rock is being used. 

The design of the front end of transit cars 
can influence the severity of a grade crossing 
collision. Large expanses of glass on the front 
ends of cars subject the operator and passen- 
gers to additional dangers from impacts of 
objects thrown from above as well as collisions 
at grade crossings. 

There appears to have been no systematic 
approach to the design and use of windows. The 
obvious approach would be to determine the 
environmental exposure of the windows and 
surrounding structures during their opera- 
tional life-time. Once these environments are 
understood, the optimum combination of window 
pane and surrounding structure can be deter- 
mined as those which offer the least risk to the 
passengers and crew. 

Although window design is the most con- 
spicuous, there are many other car design 
areas that warrant re-examination for de- 
termination of the optimum design. These 
design characteristics vary in importance and 


include in part: exit location and design, 
passenger seating arrangements, accommoda- 
tion of hand-luggage, motorman separation, 
intra-car passageways and barriers, rear-end 
illumination, front-end derailment and col- 
lision protection, braking systems, car- /heel 
metallurgy, and automatic control systems. 

While new rail rapid transit cars are sub- 
ject to differences in design criteria between 
systems, they also contain common innovations 
which are valuable in furthering passenger 
safety. These include such items as two-way 
radios or train-phones, complete train public- 
address systems, speedometers, improved 
ventilating systems, and emergency car light- 
ing. The installation of these devices has been 
accomplished with safety in mind; however, 
experience has provided the hazard analysis. 

As in other transportation networks, the 
traffic-control system of rail rapid transit is 
a necessity in the safety and effiency of opera- 
tions. Unlike other transportation networks, 
however, a train must stay with the route 
established for it by the track and the traffic 
control system. The engineer does not have the 
option of selecting an alternative route at the 
last moment when an accident appears im- 
minent. Therefore, both safety and reliability 
must be designed and built into the traffic con- 
trol system as a prerequisite to efficient op- 
eration without a high accident frequency rate. 

Although railroad and transit accident 
statistics indicate that the failure of signal 
systems does not caut . a significant number 
of accidents, much can be done in the field of 
signals to enhance railroad and transit safety. 
Many accidents attributed to man failure and 
acts of God can be prevented by a good signal 
and train control system. The modernization, 
and extension of existing lines appears to 
perpetuate existing signal systems without 
due regard to the accident experience of the 
system involved. 

New rail rapid transit lines are being 
designed with the capability of a fully auto- 
mated signal and train control system. These 
new systems should be subjected to rigorous 
safety analyses to assure that the system will 
operate safely for a prolonged period of time 
under varied maintenance conditions. The 
analysis of a computerized system using digital 
data Inputs requires the application of sophisti- 
cated safety analysis techniques. 
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Almost Invariably rail rapid transit tunnel 
design shown lack of foresight in providing for 
emergency situations. Minor smoke or fire 
incidents in tunnels have turned into panic 
situations, resulting in injuries and loss of life. 

Safety walks originally intended for use in 
the evacuation of passengers have been utilized 
to accommodate signal and electrical facilities. 
Walks are also used for the storage of mainte- 
nance of way material. Emergency exits have 
been located immediately adjacent to turnouts 
presenting an obstacle course of running rails, 
guard rails and energized third rails. Exits are 
sparsely located and difficult to identify under 
normal circumstances, both inside and outside 
of the tunnels. Exits are narrow and steep, 
easily negotiable by a spry young man, but 
another matter for a not-so-spry elderly lady. 
In some instances, in-tunnel lighting is prac- 
tically non-existent and ventilation is depend- 
ent upon natural drafts. The hazards of tunnel 
evacuation are recognized in existing rule 
books that indicate that' detraining of passen- 
gers within tunnels must only be accomplished 
?s a last resort. 

The minimization of the hazards in existing 
emergency tunnel evacuation is an area that 
demands immediate attention. Upgrading pro- 
grams have been undertaken on some systems 
and the results are markedly apparent, although 
no one system has accomplished all of the 
following steps. The steps that have been taken 
to improve conditions include the installation of 
additional lighting, signs, emergency tele- 
phones, fire alarms, power disconnects, hand- 
rails and fire extinguishers. Portable em- 
ergency equipment such as de- training ladders, 
bull-horn speakers, stretchers, lanterns, air- 
paks, first-aid kits, and between- rail walkways 
have been strategically located either in tun- 
nels, at stations, or on equipment. The in- 
stallation of this type of equipment is manda- 
tory if operational delays, adverse publicity, 
lawsuits and most important, loss of life are to 
be minimized. 

Closely related to the tunnel design problem 
is that of the third rail. The third rail con- 
ducts the electric power for the operation of 
most rail rapid transit cars. In most Instances, 
the third rail carries 600 volts of direct-cur- 
rent power and is located immediately adjacent 
to the tracks. The third rail has been a source 
of electrical burns and fatalities for passen- 


gers, trespassers and employees even though 
in both of the two basic designs, under- 
running and over-running, some protection 
against electrical shock has generally been 
provided. The third rail and the associated 
connecting appurtenances on the transit car 
have initiated fire and smoke incidents. Gen- 
erally, the fire and smoke injuries have been 
relatively minor, but serious accidents have 
been caused by subsequent detraining and 
evacuation. For new system! chis design war- 
1 ants a complete reappraisal. 

Rail rapid transit construction recently has 
shown increased usage of the joint-corridor 
concept, sharing right-of-way with existing or 
new highways or railroads because of economic 
and social considerations. This concept has 
many proponents and the arguments for joint 
utilization are indeed convincing. 

The safety of each mode must be assured at 
an interface such at this and to accomplish this 
requires a systematic evaluation of the hazards 
of each mode and the interface between the 
modes. These evaluations must be made in the 
planning stage rather than after the system has 
been constructed and alternative plans are too 
expensive to implement. 

When one looks at the possibility of a gaso- 
line or liquefied petroleum gas tank truck vio- 
lating the transit track space the potential con- 
sequences are frightening, A comparable 
prospect exists where rapid transit tracks 
operate jointly or adjacent to a freight-carrying 
railroad. Shifted loads and derailments can 
foul the transit tracks resulting in catastrophic 
collisions. 

I would be shocked genuinely to find a transit 
operation without a safety department. I would 
expect to find that safety is deemed the first 
responsibility of all employees, and eacu 
supervisor is charged with the responsibility 
for safe operations within its jurisdiction. For 
the most part, however, management emphasis 
on safety involves employee activities. It 
would be completely unfair to imply that there 
is a lack of concern for passenger safety with- 
in the rail rapid transit Industry. There are 
concentrated efforts to investigate accidents 
and improve the lot of the passsenger; how- 
ever, these efforts did not appear to receive 
the emphasis that was regularly placed on 
employee safety by the safety depart- 
ments. 


238 



Safety department personnel generally are 
charged with the responsibility of "closing the 
barn door after the horse was stolen" without 
having an opportunity to review a new facility 
during design and construction. The safety in- 
put for new or modernized facilities has been 
accomplished historically by the design engi- 
neers and/or operating and maintenance per- 
sonnel. While these groups surely have safety 
in mind, they are influenced also by architec- 
tural, operating, maintenance, and economic 
considerations. A system safety review of new 
or modernized facilities normally does not take 
place during the conceptual stage. As a result, 
it has not been unusual for new facilities to be 
modified after they are operational and the first 
accident occurs, at a cost that is greatly in 
excess of that required to remove the hazard 
from the initial design. Safety personnel are 
not used to the extent of their potential, which 
I understand is not a new situation. 


There is a ready application for system in 
the rail rapid transit field and the time to start 
is now. The degree of safety achieved in any 
system is directly dependent upon the emphasis 
of management. In the rapid transit industry 
this management emphasis on safety includes 
the management of the granting and use of 
funds by the Federal Government. This man- 
agement emphasis must be applied during the 
conception, development, production, and oper- 
ation of each system throughout its life cycle. 

Much needs to be done with the existing 
operating systems. System safety programs 
for new systems are not the only needs in the 
industry. Keen analyses of the present systems 
would identify the hazards and evaluate the cor- 
rective actions so that management could deter- 
mine what degree of safety is needed. The pub- 
lic which is paying the bills can no longer afford 
the inefficient method of waiting for an accident 
to occur and then correcting the problem. 
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Thank you, it's nice to be back and to have 
the opportunity to bring you up-to-date on 
what's new in the field of auto safety; espe- 
cially in the area of design, since all vehicle 
manufacturers must translate our Federal 
Motor Vehicle Safety Standards into designs 
that meet the safety performance require- 
ments. 

First, I'd like to show you some figures 
and discuss how activity has been re- 
flected to these safety statistics. Much has 
happened in the field of motor vehicle safety 
since I spoke to you on May 1, 1968. Later 
we’ll explore what's in store for the next two 
or three years in the motor vehicle and high- 
way safety field. 

Figure 1 shows the traffic situation today. 
From 1961 through 1966 the average increase 
in fatalities was 6.8% per year. However, 
since the expanded Federal Safety Program 
got under way, this trend has dropped to 

0.95% — in spite of a 6% increase in vehicle 
registrations and drivers and a 4% per year 
jump in total miles driven. These fatality 
figures represent a startling drop when you 
consider that only about 1 /3 of all the cars on 
the road today have the new safety features. 

Our early projections indicated that the 
number of crash victims should start to de- 
cline around 1972 or 1973. However, last year, 
1970, we had 2% fewer deaths than in 1969 
( 56, 400 vs 55,300), We believe the tide has 
begun to turn. Additionally, recently tabulated 
data shows a decline in severity of injury, 
as reflected in the number of days lost through 
reduced activity and hospitalization because of 
motor vehicle crashes. The rate rose sharply 
until 1966. For example, in 1967, an average 
of 34 days was lost due to restricted activity 
while in 1969, this average was down to about 
25 days. 

Evidence that later model cars are safer 
is shown in a study, made by the Highway 
Safety Research Center, University of North 
Carolina, of injuries to drivers in 270,000 
vehicles involved in accidents in North Carolina 
from 1966 to 1968. Results suggest that for 
every 100 serious and fatal driver injuries in 
1968 models, 130 would have occurred in a 
similar array of crashes had 1966 models 
been involved. The Director of the HSRC 
state.: that, "as more and inure of the newer 
cars, with more safety devices, come onto 


the highways, there will be a more pronounced 
safety factor to work against the upward pres- 
sures from more cars, more miles and higher 
speeds." 

Figure 2, our systems approach, which 
I described to you 3 years ago, has begun to 
pay off. Let's take a look at one of the old 
system description slides. By using a sys- 
tems approach to prevent or lessen the end 
results of deaths, injury and property damage, 
we must cither. 

1. Prevent the occurrence of crashes: - 
Precrash 

2. Increase survivability in crashes that 
do occur: - Crash 

3. Provide prompt medical attention to 
injured people and other postcrash 
salvage measures: - Postcrash. 

The systems approach (Figure 3) on the 
time ha*. ;,j.ecrash, crash and postcrash, 
is interfaced with the system elements of the 
driver, the vehicle and the environment. Of 
these three systems, action on the vehicle 
system will effect the greatest and quickest 
pay off. Design modification will reduce the 
national emergency proportions of highway 
deaths, injuries and crashes. In working to 
make these design changes, we deal with a 
small number of American and foreign vehicle 
manufacturers to effect the safety changes. 

Vehicle design is the most direct and most 
positive means for man to affect system safety 
in the shortest time. We (MVP) can do many 
things with vehicle design to keep the driver 
out of trouble and make sure that he does not 
pay with his life for his first mistake. 

Our enviable highway network contains 
millions of miles of roadway under local. 
State and Federal jurisdiction. The Federal 
Highway Administration and Traffic Safety 
Programs, a part of D.O.T., are concerned 
with the vehicle environment or roadway. They 
direct their system effort to safer roadways by 
Improving traffic capacity, sight distances, 
speed, lighting; removing roadside hazards 
and accident-producing obstacles, controlling 
safer traffic flow through better signs, sig- 
nals and computer control systems. The time 
frame for this systems approach, as you 
know, is longer than the vehicle approach. 

Altering or changing the third system, the 
driwr, is also a long term approach. With 
some 111 million licensed drivers, most 
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good, some bad, operating 111 million vehicles 
over 3.7 million miles of roads in 51 separate 
jurisdictions, you can readily see that the 
education, training, licensing, and record 
keeping of vehicle drivers could not have 
a fast payoff. The basic responsibilities for 
safe operation of highway traffic and for con- 
trol of drivers remains with the States. 

Last month in Detroit, a high speed crash 
on the Edsel Ford Expressway (Figure 4) 
illustrates the simultaneous contribution of 
all three systems to a deadly crash: 

1. The Driver 

2. The Vehicle 

3. The Environment. 

While our systems approach is basically 
unchanged, the organization which implements 
the system has changed in structure and size. 

Since I was last here in 1968, (Figures 5, 
6, 7, 8, 9, & 10) the National Highway Safety 
Bureau has come of age and is now a full 
fledged Administration - the National Highway 
Traffic Safety Administration. This Admin- 
istration is organized as shown with Motor 
Vehicle Programs being responsible for the 
development and issuance of safety standards. 
Here we see the organization of Motor Vehicle 
Programs and the three Offices assigned to 
preparing standards. Operating Systems, 
Crashworthiness and Vehicles in Use. In the 
two other Offices shown - Defects Review 
is concerned with investigating and following 
up on problems affecting the operation of ve- 
hicles in use by the motoring public - such 
as the Ford lower control arm problem and 
the G.M. three-piece truck wheel which af- 
fected a great number of truck campers. 
The Other Office - Compliance - is responsible 
for insuring the compliance of new vehicles 
and vehicle equipment with the requirements 
of all safety standards in effect today. 

As more and more standards and amend- 
ments are Issued (Figure 11 & 12) they begin 
to affect many of the same components and 
subsystems of a vehicle. It soon became all 
too apparent that we had to supplement the 
systems approach in our thinking and subse- 
quent issuance of rulemaking actions. To this 
end (Figure 13) we now have an Engineering 
Systems group - a staff function to the Asso- 
ciate Administrator - to insure that all of 
our standards are properly Interfaced with 
others that affect a common component. 


Also (Figure 14) equally important, we now 
provide for the timely introduction of our 
standards with effective dates that complement 
the product cycle operation of the vehicle 
manufacturers. Also, we now carefully analyze 
the safety benefits of each new rule as to cost 
and pay off in terms of reductions In deaths, 
injuries and accidents. These new approaches 
insure that new standards will be reasonable, 
appropriate and practicable. 

When I spoke to you in 1968, we had issued 
23 standards. These original standards were 
based, to a large ex ent, on existing SAE and 
other existing voluntary standards and various 
government requirements for vehicle safety. 
They did not specify, in many cases, the re- 
quirement for safety in quantifying terms. 
We have since addressed ourselves to these 
deficiencies. For example. Safety Standard 
No. 104 required a windshield washer and 
wiper. This has now been upgraded through 
amendments to specify exact requirein :nts 
for how much of the windshield must be washed 
and wiped. The same is true for Safety Stand- 
ard No. 103 - Windshield Defrosting and De- 
fogging. Since 1968, the original 23 standards 
have grown to 34 standards, 5 regulations, and 
79 amendments. I want to point out that in 
many cases amending an existing standard is 
as complicated, if not more so, as issuing 
a new standard. For example, we recently 
amended Safety Standard No. 208. This was 
initially entitled, "Seat Belts." The amended 
version has been renamed, "Occupant Crash 
Protection Systems" and now specifies among 
other things the requirements for passive 
systems to protect the driver and occupants 
from injury in the event of a crash. A tre- 
mendous effort was required to promulgate 
this amendment. 

The systems approach here points up the 
validity of our emphasis on the vehicle rather 
than the driver to achieve a reduction in high- 
way fatalities. We have required seat belts in 
passenger cars since 1968, but we can't make 
people use them. 

The National Safety Council claims that 
if all available belts were always worn, be- 
tween 8,000 and 10,000 lives could be saved 
every year. We also know that seatbelts saved 
2,000 to 3,000 lives last year; even though only 
35 percent of the cars in this country have 
them. 
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People say they get "all bunched up" and 
get In the way. Well, the best way to keep 
them from being bunched up Is to fasten them 
around your waist.' And then they say, "But 
that's uncomfortable — it restricts me" and to 
that, I can only say that seat belts are not as 
uncomfortable as a cast on the leg, and they 
don't restrict you half as much as a hospital 
bed does. 

However, the trouble is, figures indicate 
that no more than 30 percent of the public 
uses its lap belts and only a paltry 4 percent 
uses the shoulder harness. So it is quite evi- 
dent that we need a method which does not 
depend upon any action that must be taken by 
the driver or his passengers. So we are going 
all out for a passive restraint system. The 
leading type of these is called the "Air Bag." 
I've seen them work and I'm convinced that 
they can do the job. 

I would be the first one to concede that 
improving the car alone will not end all road 
fatalities. We are dealing with a complex 
system of man, machine, and highway. We 
have to hit all three hard in a coordinated 
attack if we are going to start saving those 
55,000 lives being thrown away every year 
(as revealed by the latest compilation of fig- 
ures we have at D.O.T.). In addition toa better 
machine, we need to complete our Interstate 
system because for every 5 miles built, 
we save one life per year — on a continuing 
basis. 

In fact, since the Interstate highway pro- 
gram began, we have saved over 35,000 lives 
because the Interstate system is that much 
safer for motorists. Another thing we are 
going to do is continue to improve the older 
primary and secondary roads. 

But perhaps the major improvements dur- 
ing the 70's are going to be in the area of 
driver qualifications. Let me give you a pro- 
file of a typical accident. 

The Profile; The wee hours of a Satur- 
day morning in December are apt to be 
the most dangerous time of the year for 
driving... 

Death is most apt to occur at that time on 
an undivided two-lane highway in a suburban 
area ... 

The weather will be clear and the victim 
will probably be a 2) -year old male driver 
alone in a sports car... 


The likelihood is that he will run off the 
road and crash into a tree or utility pole... 

He will die, usually instantly, of head and 
chest injuries... 

Tests will show that he had an alcoholic 
level of .15 of one-percent in his blood — more 
than half again the Federal government's 
standard for intoxication. 

These are not guesses — these facts come 
from the results of a $1.2 million Department 
of Transportation grant to the Commonwealth 
of Massachusetts to computerize accident data. 

The Massachusetts study shows that more 
than two-thirds of all auto deaths were trig- 
gered by alcohol. (We have been using, na- 
tionally, the figure of "more than half." The 
startling Massachusetts figures show that 
we may have underestimated.) 

We estimate that the use of alcohol by 
drivers and pedestrians causes at least 25,000 
deaths and 800,000 injuries each year. The 
sickening aspect of this tragedy is that so much 
of the loss of life, limb and property is suffered 
by people who are completely innocent. 

However, public myth has always held 
that you can't really do very much about the 
drunken driver. Well, the time has come — in 
fact, it's overdue — for us to demolish this 
defeatist attitude. But it will take more than 
a simple Breathalyzer test. 

We have just set up an Office of Alcohol 
Countermeasures to direct our top-priority 
campaign in this area. The job of this Office 
will be to identify the chronic drinker before 
he becomes a statistic in the morgue — or kills 
an innocent victim. The alcoholic, contrary tc 
legend, does have an identity. He is on some- 
body's book, either as a patient, a bad employ- 
ment risk, or troublemaker or a poor insur- 
ance risk. Most heavy drinkers are already 
known to family counselors, welfare agencies, 
local traffic courts and their long-suffering 
neighbors. 

So, whenever a man is convicted for drunk 
driving, his entire background should be in- 
vestigaged before he is sentenced. The judge 
should determine whether the offender has 
ever been arrested before for drunkenness — 
on or off the highway. Then he can confront 
him with two options — either get treatment 
and dry out, or stop driving. Period. No le- 
niency, no excuses, no extenuating circum- 
stances. The tough approach has paid off in 
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countries as diverse as Sweden and Great 
Britain. 

Much of this talk has concerned new ve- 
hicleo and new equipment and, if this were our 
only approach, it would take 11 years of intro- 
ducing standards on new vehicles to get com- 
plete coverage of the vehicle population. To 
determine the scope and limitations of vehicle- 
in-use candidate standards, detailed fault logic 
was used to identify vehicle safety critical 
systems. This effort is reflected in the Booz- 
Allen Hamilton Report No. FH-11-7316. 

The hazard analysis technique used in 
aerospace was used during the development 
of the dual fuel project by General Services 
Administration with Department of Transpor- 
tation assistance. This technique was also 
applied to passive restraint system to a lim- 
ited degree. 

Before closing, I'd like to say a few words 
about our experimental car project (Figure 15) 

The National Traffic and Motor Vehicle 
Safety Act of 1966 provides that the Secretary 
of Transportation shall conduct research, 
development, testing and training on experi- 
mental motor cars and equipment. 

We have awarded three contracts totaling 
nearly 8 million dollars for construction of 
an experimental vehicle. (Figures 16, 17 &18) 
A.M.F., Fairchield Hiller and G.M. (their bid 
was $1.00) have contracts for the production 
of a 5 passenger, 4-door sedan weighing about 
4,000 pounds with a wheelbase of about 120 


inches. These low emission vehicles will have 
three different designs with accident avoidance 
and crash injury reduction objectives in mind. 

We are requiring that the integrity of the 
passenger compartment should be insured in 
barrier crashes up to 50 mph, that the com- 
partment should also remain intact in roll- 
overs at 70 mph. These all-new vehicles will 
enable us to set improved future safety stand- 
ards for all automobiles offered for sale in 
this country. One contractor will build and 
test a total of 14 of these cars by the end of 
1972, after a run-off between prototypes. 

These mobile laboratories will help pro- 
vide effective and realistic answers to the 
problem of cutting the highway death toll. 

Three years ago, we were on a rising 
curve of highway deaths and crashes (Figure 1). 
By systematically applying our research and 
knowledge, we have turned the curve down- 
ward. With our safety standards, improved re- 
straint systems, alcohol programs, proposed 
used car programs and our experimental 
safety cars, we think we can bring all the 
elements of the safety equation into balance. 

We believe we can drive highway fatalities 
down by 40% by the year 1980. When I say we, 
I mean all of us - you, the individual dr J ar, 
the manufacturers, the equipment suppliers, 
the State regulatory agencies, and the insur- 
ance companies. 

We will all be driving for the greatest 
possession of all. We'11 be driving for our life. 
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INTRODUCTION 

Man's concern with safety dates back to 
earliest p re-historic times, when his primary 
objective was survival against his enemies and 
the elements. However, as is the case with 
many other disciplines, the greatest advances 
made in System Safety have occurred in recent 
times. In the main, these advances have come 
about through efforts focused upon two classes 
of activity. One engaged in by relatively few 
people but of great interest to the general 
public, relates to man's recent extensions of 
his travels into new and unfamiliar environ- 
ments - into the depths of the ocean, through 
the atmosphere at great heights and speeds, 
into outer space and onto the surface of the 
moon. The other interfaces with larger num- 
bers of people and is concerned with the pre- 
vention of hazardous events that are potentially 
catastrophic to many, such as inadvertent 
nuclear explosion, of either a military device 
or a commercial power generating station, 
or loss of a large passenger aircraft. 

The areas of System Safety Technology 
which have benefited the most as a result of 
these recent advances are: 

1. The development of techniques for the 
identification of inherent problems so 
thnt all hazards associated with a given 
undertaking can be determined. This 
aspect of System safety Technology 
is discussed only peripherally in this 
document. 

2. The formalizing of interfaces between 
System Safety and other technologies. 
This aspect will be dealt with at some 
length. 

The need for such formalization in a large, 
complex system can be illustrated by consid- 
ering a large ship such as LHA. This ship has 



many of the qualities associated with a city in 
that large numbers of people work, are housed, 
engage in recreational pursuits, are fed and 
are tended to medically. !t has the qualities 
of an industrial complex by virtue of the vari- 
ous shops it contains. It has many of the prob- 
lems usually associated with military oper- 
ations, such as armament activity, storage of 
large quantities of combustibles and the need 
to conduct aircraft operations during good and 
inclement weather conditions. Finally, safety 
interfaces that relate to ecology and pollution 
must now be considered in a more formal 
fashion. In relation to this latter interface 
it can be considered that the ironclad rule 
usually accorded to ships' captains is now 
being challenged as a consequence of the 
pre-dawn collision between two oil tankers 
that occurred on 18 January 1971 which spilled 
nearly 900,000 gallons of oil into the ecologi- 
cally sensitive San Francisco Bav. 

INTERFACE WITH SYSTEM 
EFFECTIVENESS 

The disciplines that conventionally relate 
most intimately to System Safety are Reli- 
ability (R), Maintainability (M), Quality Assur- 
ance (Q), Human Factors (H), and Value Engi- 
neering (V). Unification of these, and other, 
disciplines with System Safety can be achieved 
through various techniques. The one chosen for 
use in this presentation is system effective- 
ness, E, which is defined as 

The measure of the extent to which a sys- 
tem may be expected to achieve a set of 

stated system objectives. 

In general form the functional relationship 
between E and the "ilities" listed can be 
written. 



since E is a function of t, and where 

a is the achieved level of each parameter at some specified time in the system’s life, and 
s is the specified level established for that parameter. 
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The functional relationship expressed by 
equation (1) needs to be written as an explicit 
expression if a value of E is to be obtained at 
some point in time. However, no single explicit 
expression can be proposed, for E(t) depends 
upon factors that are unique to each svstem. 


One problem is brought about by the fact that 
the components of E are almost never com- 
pletely independent of each other. Another 
relates to the fact that the components have 
different "utility values", kj. When these are 
known, equation < 1 ' car he written. 



0 < k^< 1 

Because of the considerable complexities in 
establishing and measuring the various param- 
eters that comprise equation (2), it is neces- 
sary to obtain values for E by a process of 
optimization. This is discussed later. 

INTERFACE WITH RELIABILITY 

System Safety Is more closely related to 
and allied with reliability than with any of 
i the other disciplines defined by E. The basis 
s for this strong interface becomes apparent 
\ upon examination of fundamental definitions. 
? The generally accepted definition of Reli- 
j ability is 

> The probability that a system performs 
| its intended function for a specified period 
,} of time under a set of specified conditions. 
| A definition for Safety that fits most require- 
I ments is 

| Freedom from those conditions that can 
- cause injury or death to personnel, dam- 

, age to, or loss of, equipment or property. 

! Disregarding, for the moment, the fact that 
j the definition for safety is qualitative rather 
1 than probabilistic in nature, it is evident that 
hazards which occur without causing injury or 
i death to personnel, can fall into either the 
i safety or reliability domain Further, it is also 
I evident that injuries and fatalities can result 
! from the inability of a system to perform 
i its intended function, a reliability concern. 
1 Conversely, the occurrence of a hazard which 
i affects only personnel, a safety concern, can, 
| as a secondary effect, be responsible for pre- 



venting a system from performing its intended 
function, thereby degrading the reliability of 
the system. 

In order te define an interface between 
safety and reliability which can be operated 
upon by conventional scientific methods, it is 
necessary that both domains be quantified 
using compatible units. In the safety domain 
quantification is accomplished by assigning 
probabilities to events and then combining 
these individual probabilities into an overall 
probability. In most general terms, all safety 
calculations are derivable from the expres- 
sion 

P(S) + P(F) =1 3 

where 

S is the set of events that describe t f e 
performance 

F is the set of events that describe unsafe 
performance 

P(S' nd P(F) are probabilities of the oc- 
curence of S and F respectively 

Having transformed safety into probabilis- 
tic terms, mathematical operation is carried 
out through manipulation with sample points, 
sets and events. It is possible to represent 
the S and F sets by means of a Venn diagram 
such as the one shown in figure 1. In this 
figure, the rectangle, I, Is presumed to con- 
tain a finite number of sample points. These 
define the safe event, S, the unsafe event, S, 
the reliable event, R, and the unreliable event, 
R. In turn, each of these four events consist of 
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a defined collection of sample points, and each 
is a subset that is wholly contained in the 
universe, I. The Interface between safety and 
reliability is represented by the lined area 
found between the arc acb, the extension of 
the safety event Into the reliability event, 
and the arc dbb, the extension of the reli- 
ability event into safety. Two implications, 
readily apparent from an examination of fig- 
ure 1 are: 

1. R, the unreliable event, which is rep- 
resented by all of the area outside the 
R event, includes sample points that 
are in the safe event. 

2. Similarly, S, the unsafe event, repre- 
sented by all the area outsideS, includes 
sample points that are contained in R. 

It might be presumed from an examination 
of figure 1 that the common goal of both safety 
and reliability is to expand the intersection of 
S and R, SDR, until SOR = I. This would be 
valid goal 'under the circumstance that I is 
comprised only of events in S and R. Compli- 
cations arise when events and other disci- 
plines must be included in I. 

INTERFACE WITH RELIABILITY AND 
MAINTAINABILITY 

Suppose now that maintainability consider- 
ations, which are also closely allied with the 
safety domain, are now inserted in I as shown 
in Figure 2. Maintainability is a characteristic 
of System Design, Installation and operations 
which may be defined, for both hardware and 
human systems as 

The probability that the system will be 
retained in, or restored to, a specified 
condition within a given period of time, 
presuming that maintenance is performed 
in accordance with a set of prescribed 
procedures and allocated resources. 

In turn, the term maintenance may be de- 
fined as 

All actions necessary for retaining this 
system or restoring it to a specified 
condition. 

Since this definition of Maintainability is 
already expressed as a probability, its inter- 
face with Safety and Reliability can be ex- 
pressed by means of a Venn diagram. In this, 


Figure 2, all the relationships between S, R 
and their compliments are the same as in 
Figure 1. The interface between M and S is 
represented in Figure 2 by the arc cdf, and 
the interface between M and R is represented 
by the arc ecs. The area common to all three 
events, S R M, is represented by the cross- 
hatched area bounded by the arcs c, cd and db. 
Perhaps the most obvious relationship observ- 
able from Figure 2 is that not all the sample 
points in the subset MOR relate to the S event. 
This is due to the fact that the fundamental 
role of maintainability is to increase system 
life, without necessarily enhancing safety. 
As a consequence, the utility of maintainability 
to the system, reflected by the value of E, 
is enhanced as: 

1. It becomes more expensive to replace 
the system rather than to keep it main- 
tained. 

2. Aclv -ving longer system life through 
improved reliability or redundancy of 
pans becomes less cost effective 
than carrying out maintenance activ- 
ities. 

Consider now the safe event in relation to 
the R and M events shown in Figure 2. Let the 
sample points in S be divided into two subsets, 
one relating only to equipment damage, Sp, 
and one relating only to personnel injury, Sp. 
It is clear that Sp can occur even when Sp does 
not. For example, consider the case in which 
the life support system of a submarine is 
damaged during submerged operations. Pre- 
suming that a monitor and alarm system exists 
and that it can provide adequate warning time, 
there can be various sample points in Sp that 
may be selected such that the safe event can 
nevertheless occur. 

Some sample points, in the area defined by 
SOM, presume that maintenance is possible, 
while others, in SOR, presume that the equip- 
ment to be used for contingency, escape or 
rescue is reliable. The following guidelines 
are offered in assigning sample points to 
SOM, SflR or SOROM. 

1. Direct removal and replacement of 
faulty equipment, or the repair by per- 
sonnel in situ, is contained in SHM. 

2. Switching to a redundant equipment 
through remote means such as telem- 
etry or in situ by attending personnel, 
is contained in SOM. 
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3. Switching to redundant equipment 
through the use of built-in, self checking 
circuits is contained in SHmOr. 

4. Redundancy used in majority voting, 
for use in a fail safe configuration for 
replicated elements is contained in 
SflR. 

The process of idealizing the interrelation- 
ship described by Figure 1 involved an expan- 
sion by R and S sample points in I such that 
SDR I. Although, in Figure 2, there are 
sample points located both in M and in R which 
permit the event S to occur, this process of 
idealizing can be extended to RPlSDM by per- 
mitting the union of either R or M to fill the 
universe. That is, 

(SOR)O(snM) = I 

It Is clear that, even when there are as far 
as three variables, there will be advantages 
and disadvantages to selecting one of the two 
possible intersections for expansion in I. 
Increasing the number of variables that Inter- 
act within I emphasizes still further the need 
for Increasing the intersection of S with other 
parameters through the process of optimi- 
zation. 

SYSTEMS SAFETY IMPLIES OPTIMIZATION 

It has been noted that the application of 
scientific methodology to safety requires the 
ability to quantify. Further, it is considered 
that scientific methodology applied to system 
safety implies optimization. To offer evidence 
for this point of view consider first the mean- 
ing of the term System Safety. First, a system 
may be defined as 

A device, pcheme or procedure wnlch 
behaves in accordance with some descrip- 
tion, its function being to operate on infor- 
mation and/or energy and/or matter in 
some time reference in order to yield 
information and/or energy and/or matter. 

This definition places no restriction upon 
the size or complexity of the device, scheme 
or procedure under consideration. Large sys- 
tems such as the LHA, are usually comprised 
of some composite of operational and support 
equipment, personnel, facilities and software 
which are used together as an entity to per- 
form or support a specified role. The oper- 


ational role for a function performed by a given 
system is often referred to as its "mission". 
A system may be described by specifying 

1. Its inputs and outputs as function of 
time. 

2. All the possible conditions (states) of 
the system; i.e., the system phase 
space. 

3. A descriptive model relating inputs, 
outputs, and system space as a function 
of time. 

System Inputs for LHA includes, among 
hundreds of others, operational plans, con- 
tingency operational plans, qualification and 
training requirements of crew members, 
maintenance and overhaul activities and a 
description of weather conditions. The system 
model includes considerations such as the 
rate of fuel consumption as a function of speed 
and range as a function of pitch and roll and 
alternate modes of operation in response to 
potential hardware and personnel problems. 
A definition for System Safety which relates 
all necessary factors is 

An optimum degree of safety, established 
within the constraints of operational effec- 
tiveness, time, cost and other applicable 
interfaces to safety, that is achievable 
throughout the life cycle of the system. 

This definition does not imply that one, 
unique optimum is appropriate for the life of 
a system, although this possibility is not 
unacceptable. Rather, the definition estab- 
lishes a requirement that sytems analysis 
techniques be applied to the domain of safety, 
and that these techniques Include a quanti- 
fication of safety over the entire life of the 
system based upon all facets of the system. 
As such, optimization is the essence of System 
Safety. It may be defined as 

The application of mathematics and simu- 
lation techniques for identification, exami- 
nation and calibration of the Interaction 
between and among the elements of the 
system. 

OPTIMIZING SYSTEM SAFETY 

Achieving an "optimum degree of safety" 
requires that choices be made among the 
various alternative means available for arriv- 
ing at a chosen objective. Various "alternative 
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means" may be found within the domains of 
those disciplines defined by E or wholly within 
the domain of safety. This latter circumstance 
is illustrated by Figure 3 and is taken from 
the domain of hazard analysis. On the left 
hand side are the kinds of hazard analyses 
that are performed, generally successively 
in time, on a large system. On the right are 
shown the logical flow of hazard analysis out- 
puts as a function of time. At one extreme, 
at t=0, are those tasks which imply the pre- 
vention of hazardous occurrences, and at the 
other extreme are those safety activities 
which are intended to minimize the effects of 
a hazardous occurrence. Although included 
for completeness, the tradeoffs between alter- 
native means in one discipline are not as dif- 
ficult as the selection of trade-offs among 
differing disciplines. Examples of alternate 
means which could be selected as optimum 
between various disciplines include configu- 
rations; 

1. Of minimum complicity, as such that 
minimum demands are placed upon 
human skills for operation or mainte- 
nance. 

2. Such that the failure of any one com- 
ponent can not lead to failure of the 
system or to personnel fatality. 

3. Which provide an indication of those 
components that have become de- 
graded and, consequently, are likely to 
fail. 

It is apparent that no intelligent evaluation 
of alternative means can be made without 
relating to system objectives. If the domain 
of human safety is not involved, there is no 
hesitancy in permitting the system output to 
range over the domain of all possibilities in 
-rder to establish an optimum. System safety. 


however, is not free to trade-off all possible 
variations in system output. Specifically, it is 
considered undesirable in our culture to equate 
the value of human life in terms as inanimate 
equipment or money. Similarly, the notion that 
risks may be intentionally taken as part of the 
operation of a non-military system, based 
upon a schedule of compensation for injury or 
fatalities thar mav occur is equally undesirable 
in our culture. The suggestion that such an 
attitude is not rigorously pursued has, par- 
ticularly in recent times, brought about con- 
frontation between various elements of our 
society and the creation of a host of new 
industry and government agencies oriented 
towards resolving these differences. System 
safety ct.nnot help but find itself at the focus 
of such considerations, and can make a valid 
contribution toward enhancing safety in our 
society through techniques that are useful for 
integrating multi-faceted programs for large, 
complex systems. 
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INTRODUCTION 

Every taxpayer has an investment in the 
U.S. space program. A complete list of the 
many returns from U.S. manned and unmanned 
space programs would not be appropriate for 
this paper; however, ihe following examples 
are cited as being indicative of the number of 
benefits that have been obtained. In terms of 
domestic Impact, the returns range from na- 
tional pride to better paints. Early warnings 
of hurricanes discovered by satellites have 
saved lives and millions of dollars in property 
damage. The development of rechargeable 
batteries, stimulated by the space program, has 
brought remarkable changes in the design and 
use of portable power tools and appliances. 

In addition to the domestic impact, the 
space program has also provided technology 
applicable to many Industrial processes. Fire- 
proof Beta cloth nas been v 'veloped and is 
already being used for fire-fighter suits in 
municipal departments and on board aircraft 
carriers. The requirements for deep-space 
operations demanded major improvements in 
the state of the art of computer technology. 
The chemical industry is already using these 
advanced computers in large data centers. 

The vigorous '-fficiency and performance 
requirements of the space age led to the de- 
velopment of new technologies for achieving 
the required reliaoility in the millions of com- 
plex components in space equipment. These 
rigorous requirements are particularly true 
for the Apollo spacecraft with its complex 
mission of taking men to the moon, landing 
them, and returning them safely to earth. The 
NASA Manned Spacecraft Center (MSC) at 
Houston, Texas, has responsibility for the de- 
velopment of the command module, the service 
module, and the lunar module. At MSC, the 
reliability and quality assurance organization 
is at the highest level within the center, and the 
Director of Reliability and Quality Assurance 
reports to the center Director, It is a basic 
philosophy within the center tl.-. reliability and 
quality assurance personnel have direct access 
to top management for resolution of problems. 
Reliability and quality assurance activities are 
so closely related that som ! activities can be 
classified as either reliability or quality as- 
surance. Some of the v«liability activities de- 
scribed in this paper may be considered re 


quality ^surance tasks, as in fact they are 
elsewhere in NASA. If some reliability concepts 
appear to be mL-Tng, it is because they have 
been class'fied at MSC as quality assurance 
activities. Since the Apollo spacecraft con- 
stantly evolves to accommodate changing mis- 
sion requirements, the reliability analysis of 
each spacecraft is affected. That is, the pro- 
hibitive cc°* of reliability demonstration, 
coupled with limited production runs, has 
caused NASA .o emphasize a qualitative rather 
than quantitative analysis approach to reli- 
ability. Quantitative .cllability evaluation de- 
pends on statistical information that requires 
large sample sizes such as those experienced 
in the automobilp and chemical industries. 
This characteristic in the Apollo Spacecraft 
Program is precluded by the limited produc- 
tion. These qualitative techniques appl’. ' in 
achieving Apollo goals =>lso have application to 
the chemical industry. Effective translation of 
this technology to the chemical industry re- 
quires that special attention be given to dif- 
ferences in (1) industry definitions, terms, 
ai d acronyms; (2) ’odustry goals and motiva- 
tions such as performance, ost, schedules, 
and safety; and (3) repeatability of product or 
process. The technological advances in relia- 
bility 're concern^ particularly with off- 
setting reliability rtet-onstmion costs and 
limited production runs. 

Part l of this paper describes the qualita- 
tive disciplines, the definitions and criteria 
that accompany th; disciplines, and the generic 
application of the disciplii.es to the chemical 
industry. Part U translates the disciplines into 
proposed definitions and criteria for the chem- 
ical industry, into a base-line reliaoility plan 
that includes these disciplines, and into appli- 
cation notes to aid in adapting the base-line 
plan to a specific plan or operation. 

PAPT I - APOLLO SPACECRAFT RELIA- 
BILITY PROGRAM ELEMENTS 

The basic objective of the Apollo Space- 
craft Reliability Program was the development 
of a spacecraft chat would safely carry man to 
the surface of the moon and back. The Apollo 
Spacecraft Program Manager and the Design 
Engineers were committed to this objective, 
which was reached by strict attention to de- 
tails throughout the Apollo Spacecraft Program. 
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To accomplish this basic objective, the Apollo 
Spacecraft Program Manager was required to 
emphasize qualitative goals such as the fol- 
lowing: (1) safe transport of man to the moon 
and back, (2) minimization of critical single- 
point failures, and (3) development of a space- 
craft system that could be launched into earth 
orbit by a Saturn launch vehicle. These goals 
were attained through the imposition of relia- 
bility requirements on all three phases - de- 
sign, manufacturing, and operations - of the 
Apollo Spacecraft Program. Attention to detail 
is achieved through the accomplishment of the 
following 10 disciplines, which will be dis- 
cussed further; 

1. Program management 

2. Failure mode and effect analysis 

3. Problem reporting and corrective action 

4. Design specification review 

5. Design review 

6. Quantitative reliability analysis 

7. Reliability test requirements 

8. Maintainability 

9. The parts program 

10. Reliability documentation 
These disciplines constitute a reliability pro- 
gram with the fundamental purpose of identify- 
ing and removing problem-causing elements 
from the design and, ultimately, from the equip- 
ment selected to implement the design. This 
approach to identification and removal of prob- 
lem elements is summarized in Figure 1. 


Program Management 


Basic NASA reliability requirements are 
contained in the NASA reliability publication 
NPC 250-1, entitled "Reliability Program Pro- 
visions for Space System Contractors," July 
1963. These requirements are further defined 
and modified for use at MSC by MSC document 
MS CM 5315, entitled "Supplemental Reliability 
Requirements and Implementation Instructions 
for Manned Spacecraft Center Equipment," 
May 1969. These documents provide the basis 
I for the Apollo Spacecraft Reliability Program, 
| which is Implemented primarily by the contrac- 

| tor9 that have responsibility for major hard- 
| ware elements. Management of the reliability 
j> portion of a contract is the responsibility of the 
| Reliability Division of the Reliability and 
I Quality Assurance Office at MSC. 




Reliability provisions in contracts and sup- 
porting reliability program plans are the 
primary tools of reliability program manage- 
ment. Each contractor develops a reliability 
program plan to detail how the provisions of 
the contract will be implemented. This plan, 
which is reviewed and approved by MSC, 
establishes the scope, applicability, and or- 
ganizational responsibilities of the contract. 
The development of each contractor's or each 
subcontractor's program plan is guided by the 
Reliability Division, which considers factors 
such as the following: (1) the complexity of 
the equipment, (2) the functional criticality of 
the equipment, and (3) the procurement size. 
In the plan, the 10 reliability tasks previously 
discussed are described in terms of their 
basic requirements, definitions, implementa- 
tion, procedures, exceptions, and data genera- 
tion. The plan also establisne3 guidelines for 
scheduling the analyses, reporting the results, 
and distributing the necessary information to 
user agencies. 

The Reliability Division continuously mon- 
itors the contractor's progress and conducts 
periodic meetings with the contractor to re- 
solve implementation and scheduling problems. 
These meetings are based on the continuous 
interactions of the two organizations and on 
periodic formal audits of the contractor’s 
performance with respect to the program plan 
requirements. The Reliability Division of MSC 
also places requirements on the contractor 
concerning the management of subcontractors 
and the reliability data to be generated by the 
subcontractors. Personnel from MSC may 
participate periodically with the contractor in 
his audit of the subcontractor. 

The application of the Apollo Spacecraft 
Reliability Program concept to the chemical 
Industry consists of developing a plan (1) that 
establishes division or corporate policy on 
reliability requirements such as (a) reporting 
failures and (b) criteria for accepting new 
equipment from vendors and (2) that establishes 
reliability requirements for turnkey plant de- 
sign and construction. 


Failure Mode and Effect Analysis 


A designer usually evaluates his design by 
a thought process in which he examines possible 
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failure mechanisms, and protection for the 
failure mechanisms thus identified is provided. 
In the Apollo Spacecraft Reliability Program, 
this mental exercise is documented, put into a 
logic format, and complemented with the "what 
if" logic of the test, operations, and reliability 
engineers. This documentation affords the de- 
signer an evaluation of the design concept in 
which the complete set of requirements for the 
equipment is considered. This analysis is 
known as the Failure Mode and Effect Analysis. 
Inputs to the analysis include a description of 
the function the equipment is to perform and 
historical performance data on similar equip- 
ment. The analysis is oriented toward discus- 
sion of how items will fail rather than of how to 
make them work. The analysis consists of (1) 
an examination of each component of the system 
or function and (2) identification of the modes 
in which each component could fail. The effect 
component failure has on the system or func- 
tion is then determined. Where interrelated 
functions exi jt, it is also necessary to evaluate 
the effect the failure has on other elements of 
the equipment. The failure effects are evaluated 
against established criticality definitions, with 
attention focused on major problems requiring 
design modification or procedural work- 
arounds. Equipment (such as power, air con- 
ditioning, and structural support) that has 
service functions is included in the analysis. 

The criticality definition for the Apollo 
Spacecraft Program had three categories: (1) 
personnel safety, (2) mission termination, and 
(3) all others. For the chemical industry, this 
definition is translated directly to (1) life/ 
property loss, (2) plant shutdown/product con- 
tamination or loss, and (3) all others. When the 
selected set of definitions is used, the analysis 
provides a list of equipment elements whose 
failure could cause an undersired event. In the 
Apollo Spacecraft Program, these elements 
are referred to as single-failure points, which 
implies that the list does not contain combina- 
tions of failure points which could cause an 
undesired event. This list of equipment ele- 
ments is the basis for a management function 
to force either redesign of these elements, 
provision of a workaround to offset the failure 
of these elements, or location of a different way 
to perform the function. In cases where no 
corrective action is available for a single- 
failure point, program management approves 


launch commitments after assessment of re- 
maining risks. 

The discussion up to this point has been 
focused on design activity. The Failure Mode 
and Effect Analysis is used in other ways such 
as to provide an input to the test requirements 
by identifying elements that require functional 
acceptance testing. Inputs are provided to the 
prelaunch checklist by identifying backup ele- 
ments and workarounds which should be veri- 
fied. The Failure Mode and Effect Analysis also 
serves as a working tcol for the operations 
engineer by providing him with an aid in fault 
isolation. The Failure Mode and Effect Analysis 
is a design tool which has application through- 
out the life cycle of the equipment. 

Figure 2 presents an example of the Failure 
Mode and Effect Analysis format used atMSC. 
The format in Figure 2 is simpler than the one 
actually used for the spacecraft, but is a good 
example for illustration purposes. The Failure 
Mode and Effect Analysis format might might be 
used in the chemical industry in the following 
ways: 

1. As a joint analysis performed by plant 
designer and customer to check the design 
concept against the operating procedures to 
be used. 

2. As an analysis performed as a design 
tool and then charted in summary form as a 
fault isolation aid during startup. 

3. As an analysis performed as an aid in 
selecting instrument points for supervisory 
control of a plant or process. 

The Failure Mode and Effect Analysis is 
considered to be a major factor in achieving 
trouble-free performance. This analysis is 
particularly useful where complex operations 
with interrelated functions required design 
detail by serveral designers. 

The single-failure-point list resulting from 
the Failure Mode and Effect Analysis provides 
the designer with an action-item list of pro- 
blems to be solved. When documented for the 
final design, the Failure Mode and Effect 
Analysis traces the effects back to the causes. 

Problem Reporting and Corrective Action 

Many unscheduled repairs, equipment fail- 
ures, and catastrophic losses are avoidable 
if constant attention is given to prevention of 
their occurrence. Recurrence of a problem can 
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be avoided if effective corrective action is 
taken the first time the problem occurs. 
Recurrence control depends on communication 
among all users of the problem-causing equip- 
ment. A problem-reporting and corrective- 
action system is used by NASA In the Apollo 
Spacecraft Program Program to report prob- 
lems, monitor the application of corrective 
action, and implement recurrence control. 

Using a carefully selected problem defini- 
tion, personnel concerned with the life cycle of 
a piece of equipment report the occurrence of 
any problems. These problems are recorded 
in a permanent record for that piece of equip- 
ment, Each reported problem is checked for 
previous occurrence and for the adequacy of 
previous corrective action. A solution must be 
found for all reported problems; that is cor- 
rective action must be identified and imple- 
mented. The corrective action must be based 
on a sound engineering solution to the problem. 
Failure analysis is the basis for the solution 
and may range from simple inspection of the 
failed equipment to special tests that duplicate 
the conditions of failure. Sufficient engineering 
effort is applied to clearly identify the cause 
and to understand the conditions which influence 
failure occurrence. The organization respon- 
sible for the reporting system verifies the 
corrective action before the problem is of- 
ficially considered to be solved. This problem- 
reporting and corrective-action system pre- 
vents inferior elements or concepts from 
reaching the operational status. Also, when 
used along with the Failure Mode and Effect 
Analysis, this system provides a dual approach 
to reducing the occurrence of problenls 
throughout the life cycle of the equipment. 

The important elements of problem report- 
ing are (1) the basic problem definition, (2) the 
basic critical-function definition (should be the 
same as the Failure Mode and Effect Analysis), 
(3) effective reporting techniques, (4) well- 
planned corrective action, and (5) careful cor- 
relation of the recur rente control history. 

The application of the problem- reporting 
and corrective-action system to the chemical 
industry can be related to the development of 
new equipment and to the distribution of prob- 
lem histories to other plants and divisions 
within the user company. If a valve jams in the 
open position and cannot be closed, all other 
plants in the organization should be notified 


if they are using the same valve in the same 
application. If a minor problem occurs when 
an engine is in a noncritical application, an 
audit can be made to determine if the engine 
is used elsewhere in a more critical function 
and whether corrective action is necessary. 
This system can also be used (1) to provide 
inputs to inventory control systems, (2) in 
maintenance planning, and (3) in the support 
of unit turnarounds. In addition, this system 
can be used by management to maintain an 
overview of program problems and their 
status. 

Design Specification Review 

Reliability considerations should form an 
integral part of the preparation, review, and 
approval of all design specifications, vendor- 
change requests, specification drawings, pur- 
chase orders, and subsequent revisions or 
amendments or both. A design specification is 
not adequate until the reliability requirements 
are clear to the designer. The reliability re- 
quirements include qualitative reliability 
goals, reliability procurement goals, and re- 
liability documents goals. The same require- 
ments must also be applied to vendor-deviation 
requests. This approach to design specification 
review is directly applicable to the chemical 
industry. 

Design Review 

The entire reliability program represents 
a continuous design review effort. From con- 
ceptual configuration studies to eventual de- 
sign freeze, reliability continually evaluates 
the systems and updates analyses. Design 
reviews are conducted at the following hard-' 
ware levels: (1) component, (2) subsystem,' 

and (3) system. Each contractor has his own 
method of conducting design reviews, but 
participation by representatives of 1 all dis- 
ciplines (such as engineering, quality, relia- 
bility, manufacturing, and purchasing) is re- 
quired. Some of the primary purposes of the 
design review are to determine the following: 
(1) Have all potential failure mechanisms been 
eliminated? (2) Is the Item manufacturable? 
(3) Can the Item be Inspected? (4) When put 
together as a subsystem or system, will all 
components work together as specified? 



Reliability personnel have a prime role to 
play in the major system design reviews, 
which are the Preliminary Requirements Re- 
view where the spacecraft requirements are 
established; the Preliminary Design Review 
where the conceptual design is reviewed and 
approved; the Critical Design Review where 
final design approval, along with the go ahead 
for the manufacturing phase, is granted; and 
the Flight Readiness Review where approval 
for launch is given after a review of all data 
associated with the spacecraft. Table I corre- 
lates the system design reviews to equivalent 
events in the development of a chemical 
process. 

Quantitative Reliability Analysis 

The Apollo Spacecraft Reliability Program 
consists primarily of qualitative disciplines. 
As stated previously, limited production quan- 
tities, extremely high reliability requirements, 
and evolutionary changes to the spacecraft 
preclude the use of statistical inference to 
assess the numerical reliability of the space- 
craft. Reliability predictions using historical 
data of similar equipment have been accom- 
plished for the purpose of comparing alternate 
approaches. These design studies that have a 
common historical base are valuable for com- 
parison of different configurations of equip- 
ment selected from the data base. 

Differences among the equipment in the 
data base and the actual Apollo hardware 
preclude accurate predictions of the total 
spacecraft reliability. However, statistical 
analysis of test results, performance param- 
eters, and physical properties are performed 
by other organizations. 

Reliability Test Requirements 

The reliability organization functions as 
an integral part of the contractor's test pro- 
gram and is required to ensure, through anal- 
ysis and proof, that all equipment will perform 
to the design Intent. The reliability organiza- 
tion concurs in all test plans, specifications, 
and reports. The responsibility of the relia- 
bility organization is to evaluate all perform- 
ance aspects to ensure that all parameters 
(thermal, vibration, environment stress, etc.) 
are properly applied and that the results 
demonstrate the design competence. 


Test planning and monitoring are continuous 
disciplines covering programs on design con- 
cept, design verification, prototypes, thermal 
or environmental (or both) conditions, quali- 
fication or certification (or both), acceptance, 
parts and materials, subsystems, systems, 
and end-items. Each program requires unique 
analysis and evaluation to ensure prompt cor- 
rection to design concepts for a progressive 
evolution to product reliability. Special em- 
phasis is placed on monitoring the qualification 
test program which tests the equipment in the 
actual usage environment including vibration 
and thermal conditions. 

In development and qualification tests, the 
objectives are related to verification of the 
design approach. During acceptance test and 
checkout, the emphasis shifts to verification 
of the manufacture and assembly of the equip- 
ment. Reliability supports these activities 
with design information and test histories. 

Maintainability 

The Apollo spacecraft was designed with 
standby and redundant systems to free the 
crew from inflight maintenance tasks which 
might interfere with critical crew functions. 
Maintainability for the spacecraft consists 
primarily of fault isolation and switching to 
backup systems. Because of the need to con- 
trol the operating time which accumulates on 
certain equipment prior to launch, equipment 
with limited operating life time is identified 
and carefully monitored during ground tests 
and checkout. If insufficient operating lifetime 
remains, the equipment is replaced prior to 
launch. The Failure Mode and Effect Analysis, 
which was discussed previously, provides in- 
puts to the ground-support-equipment mainte- 
nance program by identifying critical equip- 
ment for which rapid repair or replacement 
is required during launch operations. 

Parts Program 

The NASA reliability publication NPC 250-1 
establishes parts criteria for space system 
contractors. This document requires con- 
tractors to implement a program covering 
selection, specification, qualification, and ap- 
plication reviews of parts for all items to 
be used in a system. A parts program plan 
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must also be submitted as part of the reliability 
program plan. By review and approval of the 
plan, NASA assures that an acceptable parts 
control program is implemented by Apollo 
contractors. The elements of an acceptable 
control program include qualification, lot ac- 
ceptance, parts screening and burn-in, and 
derating. 

When departures from program criteria 
are identified, a detailed technical review of 
the critical part applications is accomplished 
to ensure that an adequate rationale for such 
usage is provided. The assessment activities 
also include the evaluation of part failures in 
equipment, the corrective action taken, and 
an evaluation of the possible impact of prob- 
lems reported by the NASA ALERT system 
and other sources. The NASA ALERT system 
is a program which requires that all NASA 
installations exchange information on signifi- 
cant parts and materials quality or application 
problems of general concern. A computerized 
parts master file provides the identification 
and applications ot all spacecraft electrical, 
electronic, or electromechanical part. The use 
of this file permits a rapid evaluation of the 
potential impact of a problem with any given 
part type. Significant electrical, electronic, 
and electromechanical part problems receive 
particular program management attention. 
Effective resolution and closeout are verified 
progressively at major milestone reviews. 

The Apollo parts program has concentrated 
on electrical, electronic, and electromechan- 
ical parts because of their predominance in 
the space program. The program outlined 
previously was based on acceptance of each 
part. The high design margin of mechanical 
parts used predominantly in the chemical in- 
dustry suggests a program which emphasizes 
the rejection of bad parts. This control can be 
accomplished through a system similar to the 
NASA ALERT program. 

Reliability Documentation 

The quantity of documentation of the Apollo 
Progtjn is very large. Yet, the complete, 
clear story that can be retrieved concerning 
problem history and equipment tests serves 
a purpose in such an Immense program as 
Apollo, with approximately 40,000 companies 


involved in the program. Clear, concise infor- 
mation concerning results from reliability 
activities is necessary, and a level of docu- 
mentation to support this requirement is 
necessary. Documentation requirements adjust 
as the associated program evolves from its 
design conceptual phases through design ma- 
turity and product operational phases. The 
necessity for accuracy and technical excellence 
is obvious when the impact on crew safety or 
mission success is considered. Reliability 
design analysis is made available for use by 
operational personnel in a large program or 
company only through documentation. 

PART II - APPLICATION TO CHEMICAL 
INDUSTRY 

Introduction 

With careful attention to economic factors, 
the techniques discussed in Part I can be 
applied successfully to the chemical industry. 
This paper describes the qualitative program 
elements which are the basis of the Apollo 
Spacecraft Reliability Program. The applica- 
tion of the techniques to the chemical industry 
requires careful attention to economic feasi- 
bility. Failure Mode and Effect Analysis and 
problem reporting are the basis for a sound 
qualitative reliability program in the chemical 
industry. 

The high reliability of the Apollo space- 
craft is a demonstration of the effectiveness 
of qualitative reliability requirements. On the 
Apollo 8 mission, only five of 5,000,000 parts 
failed to perform their function. If a level of 
99.9 percent had been achieved for the relia- 
bility of these parts, then one part in a thousand 
might be expected to fall. Thus, on each flight, 
approximately 5,000 parts could be expected 
to fail. 

Reliability Program Implementation 

The reliability program elements described 
previously have been effectively applied to 
large and small procurements. Procurement 
size Influences the associated reliability plan 
in two ways. Most smaller procurements are 
accomplished by a prime contractor on a sub- 
contract basis. The reliability program of the 


265 



prime contractor is extended to cover the sub- 
contracted equipment. In other small procure- 
ments, the function of the equipment may be 
completely noncritical to the mission objec- 
tives. In this case, minimal reliability re- 
quirements are implemented. 

For all procurements for the Apollo space- 
craft, the definitions "loss of life' 'and "mission 
termination" are used to judge the criticality 
of the function. For the chemical industry, it 
may be necessary to use a variable definition 
of critical function. For example, an auto- 
matically controlled process which has a 
throughput capability in excess of demand is 
not sensitive for loss of life or of productive 
time. But, the process may have an economic 
hazard of much consequence such as contami- 
nation of a catalyst, spillage of an expensive 
feedstock, or destruction of property. Although 
this example oversimplifies safety considera- 
tions, it is obvious that variability of defini- 
tions is necessary. The following are the major 
factors which influence the degree of imple- 
mentation of a reliability program for a given 
plant or process. 

1. Scope - Plant size, number of similar 
plants,, procurement size 

2. Contract tier - Turnkey designer, equip- 
ment supplier, volume component supplier 

3. Criticality of function - Obvious critical 
functions, unknown or obvious lack of critical 
functions 

4. Definition of criticality - Safety, facil- 
ity loss, production schedules, economics 

The following are the steps in implementing 
an effective reliability program utilizing the 
Apollo disciplines; 

1 . Use the disciplines previously described 
to structure the basic reliability requirements 
for a plant, division, or corporation. More 
extensive commitment to the basic require- 
ments means more success in the individual 
applications. The basic requirement should 
Include a definition of problem and definition 
of criticality categories coordinated with the 
Intended users. 

2. Perform the following for each segment 
of the organization, plant, or process: 

a. Extend or subdivide the definitions 
of problem and criticality to fit special con- 
ditions. Definitions need not be changed, only 
supplemented. 


b. Examine each reliability require- 
ment in terms of the implementation factors 
(scope, contract tier, criticality of the function, 
and criticality definitions). Judge the effec- 
tiveness of the requirement in supporting 
overall objectives (schedules, minimum non- 
productive time, reduction, effective turn- 
arounds, and product quality). 

c. Develop a procedure for each basic 
reliability requirement which is economically 
feasible when the factors in items a and b are 
also considered. 

d. Document the procedures in item c 
as a plant reliability plan. 

e. Develop the forms, data flow, and 
signature approvals to support the plan. 

f. Implement the plan, and train per- 
sonnel. (The importance of proper training in 
reliability requires careful planning for this 
step.) 

I mplementation for Equipment Suppliers 

Equipment suppliers should consider the 
elements of the baseline plan in development 
of new product lines. However, the Failure 
Mode and Effect Analysis and design specifi- 
cation review techniques can strengthen the 
sales brochure or application guides. Docu- 
menting the results of environmental tests 
and other demonstrations of specification 
requirements aid the customer in his design 
review. The Failure Mode and Effect Analysis 
can be used to define configurations of instru- 
mentation power sources and physical position 
which offset potential failure modes. This 
acknowledgment of possible failure modes does 
not detract from the qualifications of the equip- 
ment to the customer who is reliability 
oriented. 

Implementation for Turnkey Design Companies 

The base-line reliability plan can probably 
be most effectively adapted for use by an 
organization having total responsibility for 
development of a process facility. Reliability 
requirements can be Implemented at the be- 
ginning of the project. The Failure Mode and 
Effect Analysis proves its value in the selec- 
tion of the best equipment configuration. 
Problem report summaries provide an effec- 
tive way of directing project management and 
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customer attention to the critical problems of 
the development cycle, and the customers feel 
less Inclined to oversee the details of the 
project. An effective set of milestone reviews 
can be established in which the major prob- 
lems and corrective actions are reviewed in 
detail and in which the majority of the project 
is reviewed in summary format. The problem- 
reporting system must be good enough to pro- 
vide confidence that the important problems 
will stand out. The criticality categories sort 
all problems into tiers of importance, which 
allows effective audits of lower tiers. This 
procedure, which is "management by excep- 
tion" in the basic form, requires dependence 
on accurate reporting of events. 

Implementation for Startup and Operation 

The qualitative approach to reliability as 
described in this paper focusev attention on 
designing reliability into a system. Require- 
ments for replacement of limited-lifetime 
equipment and for preventive maintenance 
are translated into operational requirements. 
Problem reporting continues into the opera- 
tional phase and becomes the focal point of 
operational reliability. Qualitative reliability 
documented analysis performed during the 
development program benefits this phase. The 
Failure Mode and Effect Analysis provides a 
basis for fault Isolation diagnosis during 
startup and operations. Review of the Failure 
Mode and Effect Analysis and of corrective 
action for problems provides a list of items 
to be given special attention or checks prior 
to startup. These data also provide inputs ,to 
supervisory control instrumentation points and 
control functions. The later addition of equip- 
ment such as supervisory control to the process 
requires that the new equipment be subjected to 
the total requirements of the reliability plan. 


Reliability Program Plan 

Appendix A contains a base-line reliability 
program plan for a multiple-plant division or 
corporation. The plan defines requirements, 
including procurement of equipment or turnkey 
plants, for the total life cycle of plants within 
the division. Implementation of the plan for a 
division should be accomplished by coordina- 
tion of the requirements with managers, op- 
erators, and engineers from each plant and 
by modification of the requirements until 
practical implementation is possible. The 
plan should then become official procedure, 
subject only to periodic review and update, 
as necessary for solving operational prob- 
lems. ' 

CONCLUSIONS 

The reliability program at MSC is basically 
qualitative in nature, with major emphasis on 
the disciplines of problem reporting and cor- 
rective action and Failure Mode and Effect 
Analysis. This qualitative approach is most 
appropriately applied to complex, one-of-a- 
kind projects. Several chemical industry seg- 
ments meet this criterion. 

Success in implementation of this approach 
will depend on implementation of each dis- 
cipline, using definitions and criteria derived 
separately for each application. Carefully 
planned and correctly scoped, a reliability 
program and increase profitability of many 
chemical operations through reduction of down- 
time, reduction of equipment losses, and re- 
duction of contingent liability. Implementation 
of the reliability program for effective man- 
agement and control is best accomplished by 
development of a program plan that has been 
coordinated with all organizational elements 
involved. 
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APPENDIX A 


BASE-LINE RELIABILITY PROGRAM PLAN 


INTRODUCTION 

The purpose of this document is to set 
forth the basic reliability requirements fbr 

the Division of Chemical 

Company. Management directive 

authorizes this document and necessitates 
implementation of the requirements for all 
processes put into operation afte r (date) . 
All processes put into operation prior to 
(date) must implement the require- 

ments which have operational application. (See 

implementation guide, page .) Requirements 

for safety, quality assurance, maintenance, 
and testing should be considered in imple- 
menting these requirements in order to avoid 
duplication of effort. 

RELIABILITY REQUIREMENTS 

The .Division reliability program 

consists of the following activities which take 
place during the development and operation of 
processes. 

Reliability Program Plans 

A reliability program plan shall be devel- 
oped for each plant or operation In dlls divi- 
sion. Each requirement shall be Implemented 
by a plant procedure or operating rule. Any 
procedure or rule which conflicts with this plan 
must be approved by division management. 
Requirements shall be implemented to the 
extent appropriate for each of the following 
cagegories of equipment: 

1. Equipment previously installed 

2. Standard off-the-shelf equipment pro- 
cured or. a lot ba is 

3. Special procurements of major equip- 
ment Items 

4. Multiple equipment procurements (turn- 
key plants) 

Design Specification Review 

Each design specification shall be reviewed 
in order to accomplish a correlation between 
the design and the operating plan functional 


requirements. Each specification will be re- 
viewed for performance requirements, safety, 
human factors, test criteria, maintainability, 
environmental requirements, and equipment 
that has a limited operating lifetime. The 
specification shall be reviewed against the 
basic operating plan and appropriate emer- 
gency and standby procedures. 

Failure Mode and Effect Analysis 

The Failure Mode and Effect Analysis shall 
be accomplished for each new process facility. 
The analysis shall identify possible failure 
modes, the effect cn the process, and the criti- 
cality of the effect. A control list of the equip- 
ment which has Criticality I and II failure 
modes shall be established and shall be main- 
tained as a major status document during the 
development of the process. The list shall 
contain the equipment name, the critical failure 
mode, the effect, and the proposed corrective 
action. A process cannot be put on line until 
all Criticality I failure modes have been eli- 
minated and until all Criticality II items have 
adequate workarounds. The following are the 
criticality categories: 

I, Destruction of life or process facility 

n. Interruption of the process 
III. All other critical factors 

Problem Reporting and Corrective Action 

A problem is defined as the failure of an 
equipment to perform its Intended function 
when required. A problem may be caused by 
design inadequacy, quality defect, procedural 
error, or human error. Problems are cate- 
gorized as Criticality I, Criticality II, or 
Criticality 01. A system will be developed 
for reporting problems which occur in any 
equipment during or subsequent to acceptance 
testing. A list of Criticality I and II problems 
and the associated corrective actions will be 
established and maintained as a major status 
report during the development and operation of 
a process. Any problem on this list for which 
corrective action has not b? on taken is con- 
sidered to be an open problem. A process will 
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not be put on line if any equipment has open 
problems. The following are other features of 
the system; 

1. Reporting of open problems to manage- 
ment will be scheduled so that timely knowledge 
of risks will be provided. 

2. Each problem reported will be corre- 
lated with the Failure Mode and Effect Analysis 
to determine the criticality category. If the 
problem has not been identified in the Failure 
Mode and Effect Analysis, the criticality 
category shall be identified through analysis, 
and the data shall be added to the Failure Mode 
and Effect Analysis. 

3. Each problem report of a limited-life- 
time item shall include the operating time at 
the time of failure. 

Parts Program 

Equipment with basic design proven inade- 
quate for a process is defined as an ALERT 

item. Each item will be reported to the 

Division headquarters for distribution toother 
plan's. If Division headquarters receives an 
ALERT concerning lot-procured items, a pro- 


curement stoppage will result until the ALERT 
can be investigated. An ALERT report from a 
plant should include Identification of the suc- 
cessful substitute. 

Reliability Test Requirements 

For test under the cognizance of this divi- 
sion, problems encountered during testing must 
be reported as defined in the section entitled 
"Problem hr porting and Corrective Action." 
Problems must be reported during and sub- 
sequent to acceptance testing for equipment 
which is intended for use in this division. If 
the test is conducted prior to transfer to this 
division, problem reporting requirements will 
be included in the specification or procure- 
ment document. The acceptance test for equip- 
ment to be assigned to this division must 
Include a functional demonstration In the spe- 
cified environments of pressure, temperature, 
atmosphere (salt water, etc.), vibration, and 
compatibility with process feedstocks and 
products for lot-procured Items. Previously 
documented tests of three or more units satisfy 
this requirement. 
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I. INTRODUCTION 


This paper describes applications of Sys- 
tem Safety Engineering to the development of 
advanced surface transportation vehicles. The 
concept of System Safety has matured with 
aerospace programs and is now contributing 
safety methodology to non-aerospace segments 
of our society. As a pertinent example, the 
paper describes a Safety Engineering effort 
"tailored" to the particular design and test 
requirements of the Tracked Air Cushion Re- 
search Vehicle (TACRV), developed by the 
Grumman Aerospace Corporation, under con- 
tract to the Department of Transportation. The 
test results obtained from this unique research 
vehicle, will provide significant design data 
directly applicable to the development of future 
tracked air cushion vehicles that will carry 
passengers in comfort and safety at speeds up 
to 300 miles per hour. 

Part II of the paper summarizes the Safety 
Engineering efforts implemented during the 
TACRV design phases. A detailed outline of 
the significant safety provisions, incorporated 


during the design of TACRV, is included in 
Part III. The safety engineering effort applied 
during the design of the Tracked Air Cushion 
Research Vehicle reflects the experience 
gained from a wide range of operational sys- 
tems designed and manufactured by the Grum- 
man Aerospace Corporation. These include 
commercial and military aircraft, space ve- 
hicles, hydro-foils and an experimental scien- 
tific submersible. Incorporation of the appro- 
priate features into the TACRV design provides 
the desired result of a safe research vehicle. 
Hazards to operating personnel have been re- 
duced to a minimum. 

Part IV of the paper describes System 
Program techniques and the analytical 
methodology that is applicable to public trans- 
portation systems of the future, derived as a 
"spin-off technology" from aerospace pro- 
grams. Two typical tracked air cushion ve- 
hicles for future public transportation are 
illustrated in Part V and the related system 
safety objectives are highlighted* 
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II. TACRV SYSTEM SAFETY PROGRAM 


•OBJECTIVES 

•SCOPE 

DESIGN, MANUFACTURE AND TEST 

•APPROACH AND METHODOLOGY 

DESIGN SAFETY CRITERIA AND GUIDELINES 

SAFETY REVIEWS 

DRAWING REVIEW AND SIGN-OFF 

SAFETY CONTROLS IN VENDOR SPECIFICATIONS 

•MANUFACTURE PHASE MONITORING 

•VEHICLE TEST CONSIDERATIONS 


This part of the paper discusses the Safety 
Engineering Program implemented during the 
TACRV design and manufacturing phases, and 
reviews future test program considerations. 
The primary objective of this safety program 
has been to eliminate or reduce potential 
hazards associated with operation and mainte- 
nance of TACRV. Potentially catastrophic 
items were eliminated during early design. 
Critical hazards identified have been elim- 
inated or reduced through use of safety de- 
vices, warning systems and/or precautionary 
procedures. In summary, the objectives of the 
program have been to establish requirements, 
procedures, and methods, to ensure personnel 
safety and minimum risk of damage, or deg- 
radation to equipment. 

SCOPE OF PROGRAM 

The scope of the TACRV Safety Program 
includes the active participation by Safety 
Engineers, design and systems personnel, in 
all phases of design. The significant program 
milestones and related system safety engi- 
neering tasks are illustrated in Figure 1. The 
Grumman approach to system safety is "the 
total integration of available skills and re- 
sources to achieve maximum safety as- 
surance." Safety Program .activities generated 
by this concept included; 

•Performance of analytical studies to a 
practicable depth for hazard identifica- 
tion. These include preliminary (gross) 


hazard, hazardous failure-mode and sys- 
tems integration studies on the vehicle, 
subsystems, crew station, wayside power 
and guideway/vehicle interfaces 

• Participation of Safety Engineers at de- 
sign reviews, safety reviews and in- 
formal inspections 

•Recommendations for emergency sys- 
tems, safety devices and/or emergency 
procedures, for identified potential haz- 
ards which cannot be eliminated 

• Provide guidance and support to design 
personnel through development of safety 
design criteria and check lists "tailored" 
to the operating environment of TACRV 

Many technical disciplines contributed to the 
safety assurance effort, including: 

• Reliability/Maintainability - failure and 

maintenance 

studies. 

•EMI - Safety Inputs on vehicle grounding, 
internal bonding, dissipation of 
of electrostatic charges and light- 
ning protection considerations. 

•Power Plant - Crashworthy fuel system 
technology, thermal pro- 
tection and combustion 
prevention consider- 
ations. 

•Crew Systems Design - Human Factors 

aspects of Con- 
trols and Dis- 
plays. 

•System and Project Engineering; GAC 
System Safety Staff. 
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MANUFACTURE PHASE MONITORING 


The system safety effort planned for the 
manufacturing phase of TACRV Includes moni- 
toring the vehicle assembly stages, equipment 
installation and systems checkouts. The pur- 
pose of this effort is to identify and correct 
any potentially hazardous interface conditions, 
between lines and equipments, that were not 
anticipated during the design phases. The 
safety engineer will make corrective action 
recommendations to the project engineer, 
whenever unsafe conditions are identified. In 
summary, the safety tasks will include the 
following; 

•Observe acceptance tests of major equip- 
ments and propulsion systems, to verify 
compliance with safety requirements, 
before installation in the vehicle 
•Monitor installation of all major systems 
and subsystems in order to identify po- 
tential ignition or combustion hazards, in 
each compartment, from possible leak- 
age, chafing, and/or electrical shorts, 
due to close proximity of interfacing line 
connections or interference with vehicle 
structure 

•inspect turbofan engine installation to 
Identify potentially hazardous conditions 
related to engine/vehicle integration. 
Examine engine control linkages for 
freedom of travel. Assure adequate 
thermal protection for equipments and 
lines in high temperature areas. Review 
all potential fluid leakage am. drainage 
paths, in engine compartments 
•Monitor installation and checkout of all 
emergency equipment (i.e., fire detec- 
tion/suppression, caution/warning, etc.) 
and safety devices to verify failure-free 
operation 

•Incorporate safety oriented requirements 
into each vendor specification and speci- 
fication control drawing 
•Conduct drawing review and sign-off on 
selected major Installation drawings 
where safety provisions are involved 
•Review of test plans, test reports and 
operating procedures to determine Impact 
on safety. Review and evaluate precau- 
tionary procedures. Review all test fail- 
ures for unanticipated hazardous condi- 
tions and recommend corrective action 


•Develop a pre-accident plan for coordi- 
nated Grumman support in accident in- 
vestigations 

•During subsequent phases, System Safety 
will review all previous safe y studies, 
develop operating and maintenance pro- 
cedures and monitor vehicle lest site 
operations 

APPROACH AND METHODOLOGY 

Although there are some differences in the 
Safety Engineering effort between Lunar Mod- 
ule, Military Aircraft, TACRV and similar 
advanced surface transportation systems, 
there are significant differences in the acci- 
dent potential and the approach to practicable 
solutions to reduction or elimination of injury 
and damage to equipment. In addition, the level 
of risks that are acceptable in military and 
space operations are not acceptable in public 
transportation. This aspect is what we are 
ultimately dealing with, in our approach to 
achieving safety assurance. 

In the absence of a formal system safety 
engineering standard, such as the military re- 
quirements of MIL-STD- 882, ("System Safety 
Engineering Program for Systems and Asso- 
ciated Subsystems and Equipment; General Re- 
quirements for"), special attention was given 
to "tailoring" a system safety program to the 
specific needs of the TACRV Program. In 
lieu of costly and extensive systems safety 
analyses described in MIL-STD-882, all engi- 
neers and designers were provided with a 
"design safety criteria and guidelines" docu- 
ment, developed by the Safety Engineer, to 
enable all personnel to assist in hazard 
identification and elimination in the early 
phases of design. The majority of these "guide- 
lines" has been previously established for use 
in the design of military and civil aircraft and 
soacecraft. The criteria were used continu- 
ously by design personnel as a check-off list 
during the vehicle and subsystems design. 

Where critical hazards were identified, 
the Safety Engineer conducted accident and 
safety equipment research to review the "state- 
of-the-art" in safe system design and offer 
practicable recommendations. For example, 
TACRV has the combination of a large volume 
of JP-5 fuel for the turbofan with a 7000- volt 
LIM electrical propulsion system on board the 
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vehicle. Crew survival is now assured by in- 
corporation of a crashworthy fuel tank and 
piping system. Another typical safety study 
involved evaluation of the required number, 
size and locations of doors and escape hatches 
to assure safe exit and/or rescue, under any 
conceivable mishap condition. 

Drawing Review and Sign-Off 

Drawing reviews were conducted during the 
early stages of systems and equipment design 
to identify and correct unanticipated hazards 
and to recommend appropriate emergency 
systems, fail-safe features and safety de- 
vices. Particular attention was given to review 
of critical systems that are employed during 
emergency situations. Typical examples of 
layouts and drawings reviewed for these sys- 
tems and equipments included crew station, 
emergency controls, escape hatches, caution/ 


warning, fire detection/suppression, vehicle 
grounding, brakes and fuel systems. 

Effective control of design safety, for sub- 
contractor supplied equipments, was estab- 
lished by incorporating safety oriented 
requirements into each Specification Control 
Drawing (SCD). Preliminary and final "SCD's" 
were reviewed to verify compliance, or make 
additions, to the safety requirements. These 
included such items as safety factors, leakage 
tests, proof tests, fail-safe and non-flammable 
requirements, where applicable. All "SCD's" 
required final sign-off by the Safety Manager. 

Useful Inputs from Other Disciplines 

Employment of the "Safety Criteria and 
Guidelines" document, prepared by the Safety 
Manager, enabled all design personnel to con- 
tribute safety assurance features throughout 
the design effort. 
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these areas would greatly endanger both crew 
and equipment, a fire detection system is 
located in each of the engine nacelles and in 
the PCU compartment. 

The means for fire detection is an element 
which changes resistance with temperature. 
This element is a continuous cable which 
threads through each engine nacelle so that it 
will detect hot spots or high average tempera- 
ture. The detection circuit is triggered when a 
temperature of 450°F is detected. When this 
occurs the Master Caution Lights flash, an 
audible alarm sounds and the appropriate 
warning light goes on. The fire detection cir- 
cuits have a "press to test" feature which 
allows the operator to test the continuity of 
the sensing elements and output amplifier. 

Fire Suppression 

The means for fire suppression is through 
the release of bromotrifluoromethane (CF 3 Br). 
This material is stored in bottles, in a liquid 
state, and when released forms a heavy blanket 
of inert gas which excludes oxygen from the 
fire zone. This gas is released into the nacel- 
les by the operator who presses a switch which 
Ignites a pyrotechnic valve. Once opened, this 
valve allows all of the gas to be expended. The 
pyrotechnic valve switch is located so that the 
operator's Fire Control "T" handle must be 
pulled out first. This assures the cut-off of 
fuel and hydraulic oil flow to the engine com- 
partments before the fire suppressant gas is 
released. 

Fire suppression in the LIM PCU equip- 
ment compartment will also utilize CF 3 Br. 
Detection of a PCU fire will be displayed on 
the Operator's Caution and Warning Panel and 
will also initiate the Master Caution Lights 
and Audible Alarm. 

NORMAL AND EMERGENCY BRAKING 
SYSTEMS 

LIM Braking 

The Linear Induction Motors (LIMs) are 
capable of exerting the highest braking force 
of all braking modes provided for the TACRV 
and will be the primary means of stopping 
However, LIM braking is dependent upon pick- 
ing up wayside power, and the proper function- 


ing of PCU equipment and controls. Hence, loss 
of wayside power, or electrical failures aboard 
the vehicles, will render LIM braking com- 
pletely ineffective. The Braking System has 
been designed to have multiple devices for sup- 
plying braking forces. This permits evaluation 
of braking effectiveness, and enhances the 
safety of the crew and equipment during testing. 
High speed testing on a relatively short length 
of guideway requires back-up braking modes. 
With exception of the friction brake pedal, all 
braking device controls are within reach of 
both operator and observer. 

Friction Braking 

Friction braking has several Important ad- 
vantages over LIM braking. It if. not dependent 
on wayside power and it is less complex; thus, 
the probability of failure is reduced. The fric- 
tion braking system is also equipped with re- 
dundant actuators. The main actuators get high 
pressure oil flow from the three engine-driven 
pumps. Friction braking is the main back-up 
for LIM braking at low speed, whereas the 
speed brake is used at high speed. 

Speed Brake 

An aerodynamic speed brake, located on 
top of the engine nacelles, produces a drag 
force that augments vehicle drag for normal 
braking. 

Emergency Braking Modes 

As a backup to normal braking modes pre- 
viously described, there are a number of emer- 
gency modes which assure stopping when pri- 
mary braking falls. The friction brake pads 
have redundant actuators which are deployed 
by flowing hydraulic fluid from a charged ac- 
cumulator. Thus, loss of pressure In the main 
hydraulic syster will not void the use of fric- 
tion brakes. A drag chute is aboard for use in 
major emergencies where falure or late appli- 
cation of a primary mode require additional 
braking force. Release of the chute is manual, 
through a cable-pulled mechanical latch; re- 
liability is thus enhanced due to the direct, 
positive control. Friction braking can also be 
accomplished by shutting off the three engines, 
which causes the levitation cushion skids to rub 
against the guideway. If all methods of braking 
fall to stop the vehicle before it reaches die 
end of the guideway, an arresting cable engages 
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the nose of the chassis. As the cable extends, 
energy Is expended in a water brake at the side 
of the guideway. 

ELECTRICAL HAZARD PROTECTION 

The vehicle and associated electrical equip- 
ments have been designed to provide ground 
paths so that protection of operating and main- 
tenance personnel is assured. Electrical equip- 
ment in the vehicle body is positively grounded 
with straps or with aircraft-type approved 
bonding. Body-to-chassis grounding is done 
with grounding straps near the fore and aft 
suspension points. The LIMs are grounded to 
the chassis structure and to the LIM rail when 
the vehicle is not under way. The vehicle will 
be grounded during fueling. 

VEHICLE GUIDEWAY RETENTION 

The vehicle levitation cushions are designed 
so that the top of the cushion structure will 
engage the guideway guidance panels if the 
chassis lifts. 

SUSPENSION SYSTEM 

The suspension system is designed so that 
loss of electric power to the Control Amplifier 
Unit will result in the reversion from active 
to passive suspension. Other failures, which 
may affect only one channel of the active sus- 
pension system, will not cause automatic 
switching to passive suspension. The operator 
can select, with a mode switch, "passive 
suspension". This switch puts all actuators in 
the passive mode, and assures a safe, well 
damped ride. 

CAUTION AND WARNING SYSTEM 

The TACRV has a caution and warning 
system which is similar to that used in com- 
mercial aircraft. Two master caution lights, 
located on top of the operator's control and 
display panels, flash in the event of a detected 
failure or unsafe condition. These master 
warning lights alert the operator and observer 
to visually scan the control panels for a lighted 
caution indicator which identifies the malfunc- 
tion area. Fire warning is separate from the 


"Caution and Warning System". Individual fire 
alarm lights designate the compartment in 
which a fire is detected and a horn provides an 
audible alarm. The areas monitored are the 
PCU compartment and left, center and right 
engine compartments. 

NORMAL AND EMERGENCY EXIT 
PROVISIONS 

The personnel compartment has a total of 
six possible exits for its occupants. Doors are 
provided on each side of the vehicle for normal 
and emergency exit for all occupants. If the 
doors are Inoperative, two escape hatches 
above the operator seats can provide a means 
of egress. The direct-vision windows, just aft 
of the windshield, are designed to slide back, 
also permitting egress as a last resort. 

PERSONNEL COMPARTMENT AND CRASH 
SAFETY CONSIDERATIONS 

The design of the personnel compartment 
employs features that are consistent with ap- 
proved safety and human factors practices for 
commercial aircraft. The selection of aircraft- 
type seats, restraint harness, bird-proof wind- 
shield, and the arrangement of instrument 
panel, caution/ warning panels and conn ols, all 
contribute to safe and efficient operation of the 
TACRV. 

Seats and Restraint System 

For maximum protection of occupants, ap- 
proved-type aircraft seats are installed in the 
personnel compartment. Safety belts and 
shoulder restraint harnesses are installed on 
the seats for protection during emergency 
braking conditions. The standard aircraft re- 
straining harness has a single-point release 
mechanism that is capable of instant release 
by the occupant or by' rescue personnel. The 
shoulder harness is equipped with an inertia 
reel and cable mechanism which prevents for- 
ward pitching of the body during emergency 
braking. A ratchet mechanism, within the reel, 
restrains the should? in the last angular 
position of the body whw». a sudden stop occurs. 
This device reduces chance of crash-induced 
head injuries. 
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IV. SYSTEM S A FETY PROGRAM APPLICATIONS 

TO ADVANCED PUBLIC TRANSPORTATION SYSTEMS 

• PROGRAM PARTICIPATION BY SYSTEM SAFETY 

• SAFETY ANALYSES METHODOLOGY 

• SAF ETY REVIEWS 


This part of the paper describes System 
Safety Engineering techniques an i methodology 
that are applicable to advancer! public trans- 
portation systems of the future, derived as a 
"spin-off technology" from aerospace pro- 
grams. Although recent commercial and mili- 
tary aircraft designs have utilized the systems 
safety discipline, design of surface mass trans- 
portation systems and automobiles has not. The 
TACRV is pioneering in high speed - 300 MPH - 
surface transportation. This alone produces a 
whole new spectrum of h izard potentials re- 
quiring system safety analyses for the first 
time. Failure Effects Analysis, Hazard Mode 
Analysis and System Integration Safety 
Analyses are useful "upln-offs" from aero- 
space technology which are applicable here. 
There has never before been any requirements 
for such in-depth safety studies in surface 
transportation. Formal safety reviews can be 
anticipated to resolve or correct hazards 
identified in all systems within the vehicle, 
guideway and related power distribution sys- 
tems. 

The contents of this section are graphically 
illustrated in Figjres 4, 5 and 6, to depict the 
elements of formal safety program planning 
based upon the approaches used on aerospace 
programs. Figure 4 presents the typical safety 
program milestones for a prime contractor's 
Program Plan, Figures 5 and 6 provide insight 
into system safety participation during the de- 
sign, manufacture and testing phases of a 
typical transportation system. 

Safety analyses methodology is illustrated 
in Figures 7, 8, 9 and 10, also included in this 
section. These charts indicate the aerospace 
"systems approach" for effective utilization 
and coordination of analytical efforts, that may 
be applied to future transportation systems. 

Several representative "tracked air cushion 
vehicles" for future public transportation are 
described in Part V of this paper. The purpose 


is to enable the reader to visualize the innova- 
tive approach to vehicle design, wherein system 
safety applications are essential, in the interest 
of public safety. 

Aspects on Safety Programs Planning, Partici- 
pation and Analyses 

Based upon the approach used in the aero- 
space industry, the planning guidelines for 
future safety plans will be derived from 
Government Standard MIL-STD-882 and from 
prior contractor's experience on similar pro- 
grams. The formal safety programs which in- 
clude the application of analytical techniques 
and scheduled safety reviews will identify and 
eliminate, or reduce potential hazards asso- 
ciated with operation and maintenance of the 
overall system. In many cases, the use of 
safety devices, emergency systems, warning 
devices, or procedural changes will be em- 
ployed. 

Subcontractors will be subject to specific 
design safety requirements in the appropriate 
specifications and contracts. As technical 
systems manager, the prime contractor moni- 
tors all safety efforts of each subcontractor, 
ensuring that these requirements are met. On 
major subsystems, subcontractors are re- 
quired to submit safety plans describing in 
detail their system safety organization, scope 
and effort. These plans will be integrated with 
the prime contractor's plan to ensure a co- 
ordinated overall effort that will Include the 
following activities: 

s Develop a "System Safety Engineering 
Program Plan", (SSEP) and submit to the 
customer for mutual agreement on scope, 
schedule and cost 

• Perform preliminary (gross) hazard 
studies and system analyses on the ve- 
hicle, subsystems, operator station con- 
figuration, wayside power and guideway 
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systems (reference Figures 4, 5 and 7) 

•Perform failure mode analyses on major 
systems to ensure that system or equip- 
ment failures will not cause hazardous 
conditions (reference Figures 5, 8, 9 and 
10) 

• Provide guidance and support to design 
personnel through development of safety 
design criteria and check lists appro- 
priate for each discipline 

• Define both design and operating safety 
requirements for all normal and emer- 
gency systems operation (reference Fig- 
ures 4, 5, 6, 7 and 10) 

•Develop safety procedures for compli- 
ance by operating and maintenance per- 
sonnel before and after each vehicle run, 
to reduce chance of accidents or injury 
(reference Figures 4, 5, 6 and 10) 

• Perform safety reviews during accept- 
ance testing to demonstrate that operat- 
ing and emergency procedures are ade- 
quate (reference Figures 4, 5, 6 and 10) 

•Participate in design reviews and conduct 
safety reviews (reference Figures 4, 5, 
6, 7 and 9) 

• Monitor all pre-production equipment and 
systems tests to identify unanticipated 


failures modes and make recommenda- 
tions for corrective action (reference 
Figures S, 6, 8 and 9) 

During subsequent vehicle tests, all pre- 
vious analyses will be reviewed to assess 
adequacy of emergency provisions, develop 
operating and maintenance procedures, and 
monitor final test and checkout operations 
(reference Figures 5, 6 and 8). 


• SAFETY ANALYSES METHODOLOGY 
•OBJECTIVES: 

HAZARD IDENTIFICATION, ELIMI- 
NATION AND/OR COMPENSATING 
PROVISIONS 

•SAFETY ANALYSES UTILIZATION 
FLOW 

•PRIME AND SUBCONTRACTOR 
ANALYSES, A COORDINATED EF- 
FORT 

•COORDINATION OF RELIABILITY 
"FMEA" WITH SYSTEM SAFETY 
"HMEA" ANALYSES 
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V. A LOOK AT FUTURE MASS TRANSIT SYSTEMS 
•ADVANCED CONCEPT STUDIES 
•SYSTEM SAFETY OBJECTIVES 


ADVANCED CONCEPT STUDIES 

The growing need to Improve our nation's 
surface transportation systems is currently 
recognized. While improvement of existing 
modes is a logical step, we are also pursuing 
new and innovative concepts as the only means 
through which a dramatic upgrading of ground 
transport can be achieved. The tracked air 
cushion vehicle with linear induction propul- 
sion is an excellent example of a developed 
concept that employs technology new to the 
transportation field. TACV promises a safe, 
fast, comfortable, all-weather, non-polluting 
alternative to present systems. Applications 
of this concept, in the near future, will pro- 
vide a major first step toward gaining public 
acceptance of this new mode of travel. The 
TACV is considered to be an innovative ap- 
proach to provide high-speed ground access 
to our airports, as well as a safe and com- 
fortable means of inter-city mass transit, 
for the near future. Figures 11 and 12 
illustrate typical development studies of the 
aforementioned Tracked Air Cushion 
Vehicles. 

SYSTEM SAFETY OBJECTIVES 

The system safety objectives that are 
considered uppermost in the TACV System 
and all new modes of transport development, 
are as follows: 

• The system must ensure safety of pas- 
sengers, operators and maintenance per- 
sonnel 


• The system should not create or ap- 
pear to create a hazard to the com- 
munity, its environment, its children, or 
its animals 

• The operational reliability must be suf- 
ficiently high and recovery from failures 
that do occur must not present a poten- 
tially hazardous condition to people, 
equipment or other means of transport 
close proximity to the system 

•The system should not pollute the op- 
erating environment with exhaust or 
excessive noise 

In summary, the primary objectives of 
the System Safety Engineering Programs 
planned for new modes of public transporta- 
tion, include the following: 

• Identify potential hazards by analytical 
methods and by equipment test sur- 
veillance 

• Determine hazards effects on passenger 
and public safety 

• Develop corrective and/or preventative 
measures 

• Identify rescue requirements peculiar to 
new transportation system 

• Establish safety guidelines for design, 
test operation and maintenance phases at 
vehicle life cycle 

• Identify need for technology development 
and additional study where safety as- 
surance appears uncertain 
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VI. SUMMARY AND CONCLUSIONS 


SUMMARY 

The concept of System Safety Engineering 
has matured with aerospace programs and is 
now contributing safety assurance methodol- 
ogy to the non-aerospace segments of our 
society. As an appropriate example, a Safety 
Engineering effort discussed in this paper, 
has been "tailored" to the particular design, 
schedule and operating requirements of the 
Tracked Air Cushion Research Vehicle 
(TACRV). The safety considerations usee' dur- 
ing the design of TACRV are the result of 
experience gained from a wide range of air- 
craft, spo e vehicles and experimental systems 
designed and manufactured by the Grumman 
Aerospace Corporation. The incorporation of 
the appropriate features into the TACRV de- 
sign provide the desired result of a safe 
research vehicle with minimum hazard to 
operating personnel. 


In many cases, materials and hazard con- 
trol techniques developed in our aery.. pace 
programs are being applied to advanced sur- 
face transportation systems. Typical examples 
in TACRV are use t ! non-flammable mate- 
rials, system hazard and human factors 
studies, redundant systems for critical con- 
trol functions, and fire-proofing of fuel and 
propulsion systems. 

It is anticipated that many of the ap- 
proaches to safety assurance described in this 
paper will be directly applicable to future 
public transportation systems and vehicles as 
a "spin-off technology" from the aerospace 
industry. 

In summary, the significant safety features 
provided to compensate for potential hazards 
identified on the aforementioned TACRV, in- 
clude the following: 


POTENTIAL HAZARD CATEGORY 

COMPENSATING SAFETY PROVISIONS 

Fire and Toxic Smoke 

• ECS Fresh Air Supply System, Two Sliding 
Windows, Two Overhead Hatches 

• Fire Detection and Suppression System for 
Critical Areas 

• Non-Flammable Material? in Personnel 
Compartment 

• Fire Shue-Off Valves for Fluids 

Explosion 

• Crashworthy Fuel Tank and Lines; Fuel 
Tanks Assembled with Reticulated (Porous) 
"Safety Foam" 

• Fuel Tanks Isolated From Crew 

• Drainage and Ventilation in Fuel Area 

Emergency Stopping and Crash Condition 
Hazards 

• Aircraft Seats, Safety Belts, Shoulder 
Harnesses and Inertia Reels 

• Padded Instrument Panel Visor 

• Two Doors and Two Escape Hatcheu 
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POTENTIAL HAZARD CATEGORY 

COMPENSATING SAFETY PROVISIONS 


Brake Failure Emergencies 

• Friction Brake Backup System 

• Drag Parachute 

• Arrestment Cable System 

• Settle Vehicle on Cushion Skids 


Critical Systems Failures (i.e., Fluid 

• Caution and Warning System Located on 


°ower, Electrical, Turbofan 

Operator's Panel 

t ”ros, etc.) 




• Vehicle Grounds Externally to LIM Rail 



When Vehicle Stops, Plus External 

s 

Electrical Shock to Personnel ^ 

Grounding Cable Provided 

1 


r ' >r nal Vehicle Bonding and Grounding 

1 

? 


1 AJj L , ^ ^ 

i 

Bird Strike Hazards to Crew 

• Birdproof Aircraft W met , 

1 

I 

X 

Fog, Rain or Ice on Windshield 

• Electrically Heated Aircraft Windshield 

? 

Secondary Suspension System Malfunction 

• Operator can Switch From Active to 

i 

4 

Passive Suspension System 



• Positive Retention of Vehicle Provided by 


Vehicle Leaves Guide way 

Air Cushions Extended Under Guideway 



Side Rails 


CONCLUSIONS 

Judicious use of System Safety Engineer- 
ing techniques during early phases of design 
can yield a highly effectiv< safety assurance 
program in terms of accident prevention, 
avoid •'ice of costly changes and assurance 
of safe operation and maintenance, throughout 
the life cycle of the system. 

Timeliness of Safety Engineering studies 
is an essential factor for early identification 
and elimination of potential hazards and 
latent design deficiencies. By this approach, 
the appropriate safety devices, emergency 
systems and fall-safe features can be 


readily incorporated during the initial design 
stages. 

The Grumman approach to system safety 
is "the total integration of available skills 
and resources to achieve maximum safety 
assurance". Safety program activities gener- 
ated by this "system approach" and total 
team effort yield an effective program with- 
out costly duplication of efforts. 

As we pioneer into higher speed concepts 
of surface transportation, extensive applica- 
tion of in-depth failure and hazard mode 
analyses, systems integration analyses and 
formal safety reviews can be anticipated, in 
the interest of passenger and community 
safety. 
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SESSION VI 


QUESTIONS AND ANSWERS 


JERRY LEDERER: Mr. Amzen; If you 
have those two high speed tracked vehicles 
going to opposite directions and apparently 
very close together according to the slide, 
what do you do about the negative pressure 
between the two vehicles, aren't they going 
to be drawn together? Question No. 2 - The 
Airlines have for years used JP-4 for safety 
What do you use JP for? No. 3 - In connection 
with the bird strike on the windshield, are 
you considering the possibility of things like 
icicles hanging down from bridges hitting the 
windshield too. They can be pretty tough. 

MR. ARNZEN: In regard to the first 
question, this is a necessary portion of wind 
tunnel research. I believe you struck on a 
very good point: the bow wave from one 
vehicle would impart a shock wave against 
the opposing vehicle coming in the opposite 
direction. I believe this would be an essential 
part of the wind tunnel work to study this 
interaction. Conceivably it could be a violent 
whack and you might call it similar to two 
snow plows passing each other with a three- 
foot gap. The wind tunnel data would indicate 
the optimum distance. Conceivably, it might 
be better to put one guideway on one side of 
a turnpike, whether it be an interstate park- 
way or priority real estate already assigned, 
and perhaps the wind tunnel data would tell 
us it should go on the opposite sides. In re- 
gard to the use of the fuel. These particular 
engines, the engine manufacturer recom- 
mended use of this, this is not our selection 
although one fuel would be slightly less 
volutable than the other, we think we have 
eliminated the volutable problem by the non- 
destructive crashworthy tanks, the well- 
ventilated compartments of these tanks, the 
isolation from vapor even getting into lem 
compartment and the overboard venting pro- 
cedures during refill. We are aware of many 
precautions which have to be taken in handling 
this fuel. The last question in regard to bird 
strike damage, on Gulfstream 1 and 2 we 
have conducted tests with 15 lb. birds and 
this is interesting. You actually can encounter 


certain birds up as high as 30,000 feet. 
Destructional integrity is such of these crash 
reslstent windshields that they will take bird 
strikes. However, the gentlemen who referred 
to the transit program and the various prob- 
lems presented came up with something in- 
teresting which we have to put in our cap. 
Bricks dropped by children from overpasses, 
icicles and things of that sort, warrant new 
and fresh consideration. There will be a 
whole new spectrum of hazards — a whole 
new ball game and 1 think that is a good 
question. 

QUESTION: Mr. Driver, everyone has a 
car so everybody is an expert. Assuming 
that speed of course Is by definition a prob- 
lem on the road, in the diagrams that you 
showed I saw nothing being done about what 
might be described as too much engine and 
not enough bumper. Is anything being done 
in that area or contemplated? 

MR. DRIVER: We have out now a notice 
that controls rulemaking which addresses the 
problem of speed control. It identifies speed 
warning and speed control, they are two 
separate functions. One to advise the driver 
that he is going too fast and the other one is 
to keep his car from going too fast, either by 
virtue of control of horsepower or by virtue 
of a speed control device like a governor. In 
the area of bumpers, amazingly enough most 
of the bumpers that you now have will not 
survive a two-mile an hour impact, without 
humping the front end. I have had personal 
evidence and I guess most of you have had 
also. We are now proposing a five and a ten 
mile an hour bumper however the bumper is 
just the first thing to get hit and is Just a part 
of the total energy absorption system that 
we are trying to develop for a vehicle. This 
will include not only "energy absorbing 
bumpers" but also "energy absorbing front 
ends." For example, the hinge front end, 
Ford now calls it the X-member. Shock con- 
tinuation through the entire body frame plus 
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the passive restraint to keep you where you 
should be so you can ride down the G forces 
instead of smacking up against the interior 
of the vehicle at High-G forces. We think we 
are taking a systems look at it. Those two 
you mentioned are a part of the total prob- 
lem. 

R.M. WILMOTTE: This is really a com- 
ment about a statement of Mr. Williams. The 
comment I want to make is in connection with 
operating correctly the first time. I think 
there is a danger in referring to doing any- 
thing correctly. There is always a residual 
failure, a residual uncertainty and that com- 
ment has influences if you say that you have 
done something correctly the first time. It 
influences two groups; one management, the 
manager says well now I can do what I want 
I have no dangers, but there is always a 
probability of a danger. The second is the 
operating level I'll give you the example of 
the well documented zero defect propaganda. 
I'll quote a comment from a manufacturing 
engineer manager whom I held very highly. 
His statement was something like this; After 
the President had made his one-half hour 
speech saying we must have zero defect in 
this company etc., th^re was an improvement 
in his shop for something like two weeks and 
then it fell back, not to where it was, but 
something to worse than it was. What were 
reasons? The reasons are rather interesting. 
He said, before that speech I used to know 
pretty well where in my shop the troubles 
came, ana I was generally told about them in 
some way or other. After that speech there 
was a very wonderful cooperation among the 
workers that they wouldn't tell me where the 
troubles were and I couldn't find them any- 
more. From that point of view the product 
of my shop dropped. I heard that specifically 
from this individual but I also heard a con- 
firmation of that in other places so I would 
like to give a warning, the possibility of using 
in any form, that anything can be perfect or 
that anything can be done right the first time 
has associated with it certain dangers. 

The next thing that I want to say concerns 
Mr. Driver. I am always interested in the 
relationship between an activity that looks as 
though it was self-contained but never is. It 
is always connected with some other activity. 


You've been concentrating, and I'm sure you 
know what I say is quite obvious to you and 
you know it thoroughly, but your description 
refers entirely to the saving, the safety of 
life. I'll say or reduction of accidents. You 
cannot isolate that from the cost. Politically 
we say to save a life is worth an infinite 
amount of money, well, that just isn't true 
because we never do that. In the case of 
automobiles you have two ways of obtaining a 
price for safety. One is by taxing in which 
the federal government or the state govern- 
ments impose a regulation, impose a tax and 
pay for some things such as improving the 
road bed. The other is to impose a structure 
in the equipment which costs something and is 
politically easier to handle because it merely 
is represented in a price which the buyer 
doesn't know specifically how much of that is 
for safety and how much is for better paint or 
something. Besides the price angle, there is 
the pollution angle. Does the safety require- 
ment that you put on increase pollution? I 
suggest that generally it does. The real prob- 
lem, I give you an example that came rather 
Interestingly; There were a number of acci- 
dents on tractors and the tractor manufac- 
turer improved his tractor in order to reduce 
the accidents and Indeed it was a pretty good 
improvement but strangely enough the number 
of accidents remained the same. Why? Be- 
cause the operators of the tractors now used 
it in more dangerous conditions because there 
were less accidents. Until the number of 
accidents drew up to about the same as they 
were before then they siopped endangering 
the equipment. There is a strong tendency 
which I think is very much to the point of the 
automobile process. You will find over the 
years that the accident rate strangely enough 
has remained remarkably constant with all 
kinds of changes that have been put in. It is 
true that recently there has been a decrease. 
But there were decreases like that as some- 
thing happened and for a while it decreased; 
but there is a tendency to go back. In other 
words, I think that probably we are generally 
Increasing the speed of our automobiles up to 
the point that we don't like to get killed any- 
more. That is, we hear of our friends or 
people know of someone who has been killed 
In an automobile accident. If we hear too 
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much of that then we drive more carefully. If 
we hear less of that we drive lest carefully. 
We speed up and there is a tendency to, I 
think you’ll find some literature on the sub- 
ject, for humans to build up their danger up to 
a certain point and strangely enough that point 
is very much the same in all kinds of acci- 
dents. In the case of automobiles and where 
we put heavier bumpers and reduce the acci- 
dent rate because of something of this kind, 
you are likely to find over the years, if the 
philosophy I am describing is correct, you 
will describe over the years, first of all a 
lncreare in weight of automobiles which 
will use more gasoline for more pollution. 
Secondly, a higher Speed because there are 
few accidents, therefore, we want to build up 
the accidents and one of the benefits of course 
of all this is that you want to balance not 
only the accident rate but the price. The pol- 
lution and the value of the automobile. Namely 
reducing time and under the strange pres- 
sure that our society and civilization has 
built, time seems to be not necessarily meas- 
ured in dollars but I don't have time to do 
what I want to do therefore I want to go 
fast. 

MR. DRIVER: I'll resend yes. No. 1 on 
cost to save. I quite agree that there is a 
cost penalty for practically any innovation or 
anything new. In our case what we try to do 
is to institute a performance of clamor with 
such an effective lead time that it can involve 
only redesign of an existing piece of equip- 
ment. Like redesign of a brake Instead of add 
on of another piece of equipment. This cuts 
the cost down quite a bit. In addition, some 
of our performance requirements Involve the 
elimination of some parts of the vehicle and 
the substitution, say the elimination of two 
pieces of equipment and the addition of one 
piece of equipment so that in many cases the 
cost is balanced off. We do run safety cost 
benefit analysis in each case to determine 


and we hate to equate the life to a dollar but 
you have to do it sometime and we take a 
good hard look at what are we getting for 
our money. If we institute safety device or 
safety requirement No. 1, approximately how 
many lives are we going to save, how many 
Injuries are we going to reduce. How many 
crashes are we going to avoid? We equate 
that with how much it is going to cost you as 
a consumer per vehicle to get that. Then we 
take a look at those figures. If they are in 
the red it doesn't mean we won't do it. I'll 
give you a very concrete example. The furor 
about power windows. A safety standard came 
out on power windows, it required certain 
minor changes to the power window system, 
in actualllty the number of lives lost as a 
result of improper action of power windows 
was low but those that happened to get killed 
happened to be kids and one of them happened 
to belong to somebody in pretty high places. 
The same thing of school bus standards, you 
have many more school kids getting killed in 
automobiles than you have getting killed in 
school buses but what do we do for automo- 
biles to protect children, what do you do for 
a school bus when something happens. In sum- 
mary, we are doing something and we are 
trying to implement it in such a way that die 
cost is minimized. In terms of increase in pol- 
lution, the only standard that I know of that per- 
tains to pollution in our particular case is one 
that reduces it and tnat is the one on the fuel 
tank for example. The fuel tank is no longer 
vented to the atmosphere and if I remember my 
figures right from when I was working on the 
low pollution automobile about 15% of your ve- 
hicle pollution is plain ole evaporation out of 
the fuel tank. I admit that if we would come out 
and require that vehicles have bigger engines 
and lower rpm etc. and give more exhaust out 
of the exhaust you might be adding to pollution. 
I'll just quarrel with you on that a little bit 
that's all. 
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This has been a very stimulating meeting. 
Before making my observations and reflec- 
tions 1 feel we should thank Phil Bolger for 
org i ilzlng it. 

I'll begin with a few criticisms. 

The emphasis was on hardware, yet soft- 
ware is of vital importance. Miller and 
Amzan tried to drive home the fact that 
system safety covered more than engineering. 
Mistakes in procedures, in computation, even 
the way words are used in a manual are im- 
portant. They may be misinterpreted or mis- 
understood. My boss in the Office of Manned 
Space Flight, Dr. George Mueller, had a large 
and unusual photograph on the wall behind his 
desk. Figure 1. 

It was simply a photograph of a minus (-) 
sign. Some years ago a computer programmer 
had neglected to feed the minus sign into an 
equation going into a computer to guide a 
space vehicle. This "software" mistake cost 
about $18 million, as I recall. So do not forget 
software when you think of system safety. 

Other Important subjects, not hardware 
oriented, are part of System Safety or the 
systematic approach to loss prevention. Some 
30% of missile failures have been caused by 
human errors. Yet in these lectures there 
was little or no reference to motivation and 
certification programs. Motivation (aware- 
ness) is an important part of the NASA pro- 
gram. The blue collar worker can be the 
Achilles heel of programs that depend on 
single point failures. The only reference to 
motivation was the NASA Awareness Bulletin 
cn the table. Mr. Pope alluded to motivation 
when he stressed the importance of communi- 
cating up. I heard very little about human 
factors. Gera of NAR did have behavior fail- 
ures in his closed loop vugraph. Human fac- 
tors should be considered to include the 
environment in which men work, the shop, 
test center or the cockpit, as well as human 
factors in the design of the product such as 
shape of control handles. 

Except for the lecture on Viking, I heard 
no reference to Safety Analysis Reports. This 
is a vital report prepared for the top decision 
maker prior to operation, showing him what 
risks remam, how they are rationalized, why 
they were accepted. Without this, top manage- 
ment cannot give or deny a go-ahead, with 
prudence. 


Another criticism is the problem to which 
C. 0. Miller alluded, of making writing easier 
to grasp. Much of our phraseology is hard to 
understand by managers whom we are trying 
to influence. Pope suggested a replacement 
phraseology such as "performance error" in 
place of the word "accident" in order to make 
safety (a motherhood term) more acceptable 
in management circles. His recommendation 
to change an accident report into a manage- 
ment critique written by the people involved 
in the accident is another excellent idea in my 
opinion. He questions the use of the word 
Safety. I'm sure he has wide support. We pre- 
fer risk management. What is meant by 
"critical" in the phrase "critical hazard 
analysis." Why not simply use hazard analysis. 
"Optimization" is frequently used. What does 
it mean? Why use cycle in "life cycle?" 1 sug- 
gest that the phraseology of system safety be 
combed for simplification. It is also of great 
importance to do this when system safety is 
translated from aerospace to other industries. 
The lecture by Williams brought this out. 

There is background to use palatable words 
in aviation safety; lap belts or seat belts in 
place of safety belts is an example. 

The first group of papers was devoted to 
the philosophical aspects of system safety 
especially the management aspects. Dr. John 
Clarke, Congressman Pettis, Admiral Smith 
discussed the nature of the problems that face 
us. Dr. Wilmotte lectured on basic personal 
resistences to the acceptance of safety. Latsr 
on. Hurt of USC on System Safety Education 
added to this. It is not unusual for sophisti- 
cated management and non-safety personnel 
to feel that safety acts as an obstruction to 
progress. Could these resistences, voltages, 
amperages be put into the form of a model 
electrical circuit for further analysis? 

Dr. John Clark pointed out that if safety 
were applied to unmanned vehicles as it is 
applied to manned vehicles, it could cost the 
unmanned vehicle out of existence. This is 
also true of manned vehicles such as air- 
craft. Space vehicles are a special problem 
because of the serious political and prestige 
implications of mission failure. This justified 
the $100 million dollars or so spent to correct 
the faults shown up by the 204 fire. In the 
case of more mundane vehicles there comes 
a point where small increments of increased 
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safety are hard to justify on the basis of cost 
benefits. For example. Slides 2, 3. 

An example of cost benefit is ti.r current 
requirement for crash fire rescue operations 
at airline airports. Relatively few airports 
meet the minimum requirements of the 
National Fire Protection Association. Most 
airline crashes occur on the approach to a 
landing off the airport where the crash fire 
equipment cannot get to the crash quickly. A 
ten year survey made for the piston era 
disclosed only two crashes in which a fire 
brigade saved the lives of airline passengers. 
To meet NFPA requirements would have 
added some $80 million per year in firemen 
salaries alone, with the possible saving of 10 
lives per year. These lives of course should 
be saved. The airlines would have to pay for 
this via landing fees. But resources are 
limited. Pausenger safety would be better 
advanced by applying this stun to the imple- 
mentation ot landing ai^s such as ILS and ap- 
proach lights and other means by design or 
procedures to prevent the accident. Now with 
funds from fuel taxes to be applied to the 
development of airports and airways, progress 
should be better. Is it easier now to justify 
$80 million or more for crash fire protection 
because aircraft are carrying more pas- 
sengers, more cargo and die structures on 
the airport are costly enough to support the 
expenditure for adequate fire fig.iting bri- 
gades. 

The cut off of money for safety is a man- 
agement decision, as Gera said. The safety 
organization should provide the basis for this 
judgment. It should not be left to the staff 
that creates the problems or are willing to 
accept the hazards or fail to recognize them. 

Styles' paper on the Application of System 
Safety to Rail Transit Systems inferred this 
and gave proof of the need for a monitoring 
program. His paper supports Dr. Wilmotte's 
paper describing how and why management 
tends to underestimate risk. 

During the course of this conference there 
was a question or two about measuring the 
economics of safety. This should be done by 
searching for the total economic impact of 
accidents on society. For example, the num- 
ber of passengers killed by railroads is very 
small, but in their total operations, the 
railroads in 1970 killed more people than the 


airlines and general aviation combined 
(largely because of the grad r crossings). The 
impact of accidents on society might be 
measured by the loss of the deceased's 
useful service to society. The following slides 
bring this out - slides 4-10. 

Congressman Jerry Pettis's Inspirational 
talk urged the application of space age tech- 
niques, especially the systems approach to 
solve our many problems on earth. The 
agenda was slanted that way in relation to 
hardware, not social problems. We had talks 
on application of system safety to nuclear 
safety, consumer product safety, rail transit 
safety, auto safety, petroleum safety, and ad- 
vanced surface transport safety. These arc 
not the social ills which Mr. Pettis wants 
attacked. On the same morning that Congress- 
man Pettis gave his talk the . Q w York Times 
reported this - 

"If we can go to ihe moon, it is often 
said, why can't we er've some of our 
pressing problems on earth? Speakers at 
the Urban Technology Conference here 
stressed the point yesterday that solutions 
on earth were not as neat and straight- 
forward as developing a space-flight sys- 
tem." 

"Aerospace technologists were told 
yesterday that they must come out of the 
clouds and understand political considera- 
tions, city finances, labor problems and 
human relations before they can help the 
nation's cities solve their transportation 
needs. There is much more than tech- 
nology to solving these problems, James M. 
Beggs, Under Secretary of Transportation, 
told aerospace industry representatives at 
the Urban Technology Conference at the 
New York Coliseum. 

When I was asked *-o come to the de- 
partment, he continued, I was asked that 
old saw: 'If we can go to the moon, why 
can't we get across town?' Well, the 
reason, I learned, is that it's tougher. 
Thera are people in the way of getting 
across town, and uere aren't any people 
on the way to the moon." 

One reason for the success of space age 
performance or for that matter most suc- 
cesses in business is that a dictatorship or 
an autocracy exists which gives orders wit!) 
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considerable assurance of compliance. Not so 
with social problems, at least in a democratic 
society, until a crisis occurs. The crisis of 
pollution is beginning to draw people together 
socially to fight that problem. People tend to 
protect their individual prerogatives, using 
the democratic system to do so. 

I'm afraid that Mr. Beggs is correct. The 
enemy of people are people. Is there a system 
technique to tackle this? 

In my opening comments I referred to 
lawsuits based cn product liability as a forc- 
ing function to stimulate adoption of system 
safety. I was interested therefore in Mr. Hayes 
comment that "a prudent and reasonable per- 
son would make a system analysis to avoid 
being held guilty of negligence in lawsuits." 

Styles (and others) pointed to the well 
known feeling among design engineers that 
they do not need the help of safety specialists 
because they know all about it. Then he pro- 
ceeded to give a devastating attack on this 
belief in his account of errors made in rail 
transit design. Dr. Ball indicated that the 
DOD was considering a process of deem- 
phaslzing system safety as an independent 
discipline. But the weakness in the argument 
that the engineer/designer needs no inde- 
pendent risk management help is that - 

He is subject to the dictates of his im- 
mediate supervisor who must contend with 
schedules, performance, costs, politics. In 
short, the engineer, in spit of his Canons of 
Ethics dealing with safety, is an organization 
man. He depends on his organization (boss) 
for a living. 

He is not generally exposed to the safety 
interfaces, e.g., the design of railway car for 


safety is often not coordinated with the design 
of the station platforms for safety (except for 
height), as Styles pointed out. 

While he considers himself an employed 
professional, and he is, this is not in the sense 
of the independent professional such as a 
Physician who can more easily abide by the 
Hypocratic Oath than the engineer can abide by 
the Canons of Ethics. This is because the phy- 
sician is not an organization man and further- 
more because he see. the end product of his 
labor — the patient who lives or dies. If en- 
gineers could see the injuries caused by 
their design they too might be more forceful 
in their safety work. Decision makers should 
be given the safety picture by an independent 
source, not by men subject to other pressures 
or who create the problems. Dr. Wilmotte 
emphasized this. 

Suppose we were meeting here in 1889 in- 
stead of 1971 and our topic of discussion was 
"Should the Automobile Be Encouraged From 
the Standpoint of Safety?" What would our de- 
cision be if a systems analysis were to show 
that the automobile would kill a million people 
in 50 years, maim millions more, pollute the 
air. On the other hand the automobile would 
also save millions of lives, offer independent 
means to get out of the city, get to far off 
places unexpensively with one's family, im- 
prove the standard of living of millions. Could 
you come to a rational decision, balancing 
the good against the bad? Using what we know 
about system analysis now, most of the nega- 
tive aspects of the automobile would probably 
have been engineered out. 

These remarks are personal and do not 
represent the official opinions of NASA. 
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